23542300x8000000000000000354097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:49.735{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C32846EA13F36CAF3B33745D53D11E,SHA256=AD87207D36A8DEF39B6AAEC5147525EEFAD02D68F4CC4CFCDEF933D7D1C3EFD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.839{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7A3D-6352-6D06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000235344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A3D-6352-6D06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7A3D-6352-6D06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A3D-6352-6D06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.681{EFF5EEA8-7A3D-6352-6D06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.508{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=06806E82E7094721F6D79BC46AD3C421,SHA256=5546A210F36AD15932B695B5BF425FCC282B453DA9A02AFC50EF794F4D581C80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.214{EFF5EEA8-7A3D-6352-6C06-000000008C02}9723120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A3D-6352-6C06-000000008C02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7A3D-6352-6C06-000000008C02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A3D-6352-6C06-000000008C02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.060{EFF5EEA8-7A3D-6352-6C06-000000008C02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=830394697FFB145E353C15604F9681B3,SHA256=7939919D8B108AED6086F88149A7BD1C76E171E5474F30343A7D2F27F2E62754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:50.786{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196A18E52459D1904859717DF4B950A6,SHA256=856AAC1B73F8DEE6B08D271C47F0C9A760AB3639A9949E078322C7E8F0E6D1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:50.258{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4293D80EFD1BA6C8D4947D8AA3848643,SHA256=3AA4A287071202DCC3A0509A6AABD588EDACB506DFAF12029DE144BCB234B33C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:47.854{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59791-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:51.842{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=129DA1224102F60A465B513B464F544A,SHA256=46197EF116A393FABCC963B7F8744FE0A57771926E94F1D83BD38F8B08FE7BED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.997{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.996{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.995{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.991{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.987{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.983{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.970{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.966{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.960{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.951{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.948{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.935{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.928{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.921{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.908{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.898{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.870{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.864{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.855{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.849{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.843{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.824{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000235347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.392{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D5FCE189DE2E0AB435C727A5DCADEB,SHA256=B2A3D6A2D4B9497F3E9729CD3442271DFF048E748D07091FD1F01EB71E7678A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:52.912{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39580EABB8418005F217A77F67D7AB1E,SHA256=D3A7CBD089B9C2DCB3E938361DA9E85E609ECB2D915BF5D0A40E98C0BD36F2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:52.627{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD9D585462C9D4730D356B5F3D84DA3,SHA256=964C6AEE9D713613E783AD6528EF06212C5B9EEDA03AB944B1C5BAE1DFB6D0E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:52.010{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:52.007{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:52.005{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:52.001{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:52.001{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000354102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:53.974{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6555659C77DA5BDB62A4054E99E24FB,SHA256=64D815194A7BA02575F81DE5FB97C7F2D5C566F0EA42AA2DFFA84A543E96F670,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.316{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52178-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:53.661{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64616BC8625C5330D3A590701C9CE95A,SHA256=7664C5DB3D81C849EF232996F83E9880BBB04381D3CB2DB3F4B7DE97A152D3DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:54.750{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726CB5CF8A905D0213937FA8AC4F0B44,SHA256=3B14CFD699A22698930463E2C382A0C6E57C5F26FF46196B6627465C909D68C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:55.856{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B504472FCD1F2BF41C4A45C0BE24D1B5,SHA256=152A0360F290AF60B171C82079E6C16E25AC8EF68077E100247899521C484723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:55.016{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16B3880372268517CA7C8D31E3F47A6,SHA256=93C077906131B7B4863DAD5FF0239B3F67005ACBE4CF8883E3357D933BE2FEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:56.956{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BADEA0D154D08EF2AED97F6FC1E2D44,SHA256=6D49755D8DE46810F33BDAB09665FE2D70AA1BBBA8C10CD696D5006D2C6251CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:53.836{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59792-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:56.078{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E5C2C888F640B785F35255AE9FD318,SHA256=7B3DF04CB0BA518135034EC2C66DA1967728C8FDE80EF0B0DD75A964596BF2E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:57.121{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC759C2814D5A5030703EEB53FDA0F1,SHA256=B7991512A36CC09409C59B354072F9B6C09BE9E412DCD4EECE701E9EEC0E6362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:58.183{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3975B7139C616838165FD953147CE22B,SHA256=090E816EA3C43AB48A738EBD8A9B5711AFF251BE2E6778C342844386396E0BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:58.042{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BF01BB855B164D2C8DE33032BB14ED,SHA256=D781316465960FA148E9628B469FAF915754BE6B22A2565199CA34E4BA79688F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:59.325{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824661944F0401D9B75F54C49F42F079,SHA256=FDB938B9A5AAE612D4E8D54BABB7E8A0FB742A66AE65710F5DFC08B3FEE955F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:59.139{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1415E8153A47E8AA26FD49C4EA1D6CE5,SHA256=EFFB49DDEA8D7A4C5B01F3F017C20E6299FECAF7E99CE53E9231645498AE5DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:00.385{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86321D42C652DFC26CA956F3890BAB7,SHA256=D5632641829133A1B60C42F94AF34F79277BDE35EC95454C8690B2E3A600DF72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:00.230{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FEA79B9AAB62BFEC8B6781F5FEEAD3,SHA256=659E58BAB1434509DA1482482AE58A3FBB4E04EEDBA40B9A5390C759D336C879,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:57.292{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52179-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:01.486{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9245CC890C817E05F31224A097925711,SHA256=6C5745878F03CB00737093EAD67A8F11EEE42F9922C65E4E6BCE22CC6EBCE8A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:01.305{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C140E7278036C97AAFADC7334559A71,SHA256=0E06B4C992103FADDC86EF5B6BD8A2A62477194A42345C925F39D7DA22851636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:01.127{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0238A15C2814A0B770C27861A5629470,SHA256=8D2C8E00C2F26F3CB718BDF2578F10B93A8AE61F6C3B2BB82D139CE148002A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:02.556{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318979F0ED867296A9D37D3C1705633F,SHA256=78F7CA2EF260696F2B8CC897DF40061950EE10665DC7642840DDE59EF230AC5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:02.399{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FD489FF3C88CC80E34F5F3CDAA60F7,SHA256=C5D16979B0F10E345722C1208939B804C19A94BAA5A29B47B15F1D1EA18124FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:59.760{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59793-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.960{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9039CF83501EB6EA43F495857FF8458B,SHA256=9D260CE797094F7CD64EFC40AC5790D6FF2F50B79E794DF9C695BE46145B3A6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.870{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.864{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.861{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.855{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.853{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.832{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.823{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.820{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.817{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.814{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.803{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.796{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.770{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.752{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.735{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.717{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.679{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.660{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.642{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000354118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.632{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED1A82F35E6C493841E6AE11E8DE787,SHA256=42CA4DB85F751540C4668EB5EECC333AEB94D555E2D483DF7BF00BCA07C21685,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.623{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.595{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000235389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:03.493{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E87F7B571FE24B099890839D50AE2F,SHA256=8CCEF3EEF99DF4FC230B1F735D125D055465B2D1F5AB073F500897833BD965D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.550{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.547{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000235390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:04.573{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEFC313290BCA06A76651DA5BA41EFA5,SHA256=3452ACFB89C5B8C6159641BEB1A9B2874CBA892E4495E215A11DF2D4176CE062,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000354151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000354150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00c31e41) 13241300x8000000000000000354149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e533-0x0de4c4f2) 13241300x8000000000000000354148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e53b-0x6fa92cf2) 13241300x8000000000000000354147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e543-0xd16d94f2) 13241300x8000000000000000354146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000354145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00c31e41) 13241300x8000000000000000354144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e533-0x0de4c4f2) 13241300x8000000000000000354143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e53b-0x6fa92cf2) 13241300x8000000000000000354142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e543-0xd16d94f2) 23542300x8000000000000000354141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:04.658{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82F0FE0956656DA748A0D9688B26F5E,SHA256=9709DB0AEC7B99018CD7DE49E2F8BEFAB746873F2A46C0E20A6DCCE5DE11D7BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:04.332{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:04.329{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000235393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:05.879{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E4FBA125E8CFB83CB2A145B7AF63549A,SHA256=DC9B0AE838EC7CC0AFFB31A605A0FF09C3CC90F63764936FAEB58F276D774554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:05.651{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9CD9176FF755F862550E25F25EBE51,SHA256=D917852C2FFF4E2CFCDFD1D355DDE5CE1D5BB80D4E0F7CCA9E66FF412BA4542A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:05.760{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4AF2A5556936A0F644994A98333857C,SHA256=D9C215762045B15491D751DD719657AC29A60B2B95BE32E159CC691F38A2E64C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:02.496{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52180-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:06.736{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C26FC73C948E6391578C3D57FC99E6,SHA256=2CDED1742572806436912081B133D500602BE6FD4385F90373567E19242D1253,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.981{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.974{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.972{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.969{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.954{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.945{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.920{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.915{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.902{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.897{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.895{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.886{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.884{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.883{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.880{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.879{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000354156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.862{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7FD70CC4479BB3D94030DC8A8ADB46,SHA256=2AB30A1E76042C1BB3EDF49D254E18DB5F3E5602749A609A86D9504BEAC033FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.364{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.363{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.361{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000354217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.966{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F3E532ECA39ECB29B0519E0C63B15E,SHA256=C2C64BEB7327CA67597D9D5758150755E088DEC190321C3C2A72B74A23CF071C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:07.809{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0F6397063EDBD841769FF4090F5647,SHA256=ED0DFB768E17336C4EB0AA774A1658553F2BBDFE02BA882B92DA99BB6515D205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.434{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE1A6750E3742168692A0A9C9CD8DC1,SHA256=FB14D6B3D9178C07896918649F59116D5DA23334867C1682FFDC5003370D4FD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.144{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.142{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.140{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.138{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.135{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.133{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.130{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.126{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.123{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.120{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.118{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.115{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.113{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.109{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.106{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.103{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.100{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.098{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.095{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.093{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.090{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.087{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.083{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.079{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.076{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.073{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.071{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.070{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.069{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.068{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.064{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.062{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.061{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.061{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.044{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.041{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.037{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.036{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.035{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.033{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.029{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.027{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.016{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000235396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:08.897{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2018D1CD8447EEAACEF7927686678EB9,SHA256=A06B0251AA383FF8CC33C6D42A614D626F6378F5A88F7F7B0E717665B7EA9661,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:05.782{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59794-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:09.972{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76AD97898650674EFAA8F5DC08A3313,SHA256=83FDC1A9CA1263CD7B7D7D62080BE04541F29AF406C1D5A5196869981AD9462A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:09.079{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3823A80E851C7AEEBCC0998C054F53,SHA256=A0B194B4F4311844BD109DB3DAA391E2A40A590270A375CC3B238B91ECB48311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:10.180{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B49A856D0107E2A95B1C92B75D392B,SHA256=5BFADBED1936C11583F54F2683A276452F0E804C464A925FA914555942216314,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:08.445{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52181-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:11.297{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C5BEEFAA4EA744D67E8F92B49EFBA1,SHA256=F39C5F7ED96B719E64973AA6213122B5BBCD0596D184D9A2FCAC03A94AFEA4AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.991{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.987{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.984{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.975{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.959{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.958{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.949{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.946{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.922{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.908{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.900{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.893{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.868{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.863{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.854{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.843{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.830{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.821{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.819{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000235399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.064{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A938437476B07F1B6360B8B0E9B0C86B,SHA256=85556A05EAA24CBCD32B28C3E2642D193AEB1F7F6672D4919959BF4390F896FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:12.315{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0738B4C59A1A1137DE0EB586D4159FD8,SHA256=230B297B80AC7BA273CD0D5335BB00683D4CD8990FD2A6CFAF3EE2038B97ACBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.306{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3FF4B0AE28E8AFD1136BBC1D0D04D1B,SHA256=03184D77E856BBAD2A3C2E7DC7C3608520A8BC94B42C05F672C95412A6E69355,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.018{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.015{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.013{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.010{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.009{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.004{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.001{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.995{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 354300x8000000000000000354224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:11.789{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59795-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:13.369{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4EE1B9A94BF9856A0C6407C31D0CDC,SHA256=9D1E7272EFA0E15D278149C9284B335AF34D68B4189CC654F025FEBEEA4144D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:13.333{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB242105DA1BE5AC7CE924E036F81B9F,SHA256=3472D60A9E2D522A94219EFAF1F0E37DFB01DABFF3CA07E56C68FC09C6047766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:14.470{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=445247CFBC162A8949B29F8F77DAA455,SHA256=053B8E28A524A5CA2A7C392BC645DCCC7A30D5985E1F1949C486D0023917F163,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:14.431{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:14.431{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:14.431{EFF5EEA8-485E-6352-0B00-000000008C02}6283944C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:14.415{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000235431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:14.407{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0FD06514CCE33F6E7AEF3A5ACFD715,SHA256=9BE7EC5B0D7FBA99DB3933AF5E80F3E3EF9FAB8790ECEAE62BFF55F7B5FD6213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:15.944{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4928.xml~RFc34949.TMPMD5=D777C4FF4D0FE2AF046674A553B5BA40,SHA256=4E51C513F20A061CDD46B203229FB664D4B776DAD877EF7FC8069A88A4BEDD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:15.544{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4618EE3A2E1630A225E3D5A98A8423B8,SHA256=7409045032A39BF967CE15D5C4EBE3F851552D5206A19A835F98AE05CA1AFB4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:15.488{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E710D16988870359BC6F145F1627934A,SHA256=C485E324A488271B426F3804C39EC696CC2850934D4B34CF974CC0C7D699026B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:15.021{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA6DCA7795440314F127D0E253F166F5,SHA256=8E5D68AA120742D479133757EC360342375D4EF4AAF9B8FDD43CA96DDA706080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:16.622{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F6726A08A0251BE9933FFBAB121809,SHA256=B6EE5A52B4921CEE5EBD8DBE18055B64540B2B6372EAF05A5818A2C8FD6A0C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:16.573{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9100F140DB696D5F6B49FB00BB8F2BA,SHA256=8037F76485E205E466A33B80C55727598BB7061492C6F5A7B137F309EE5D7A4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:13.464{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52182-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:17.746{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7A759BE82C31D7F343E1F060AD0521,SHA256=008488DB9B29A849C2D01938DCDE9082ED8FE3D534DF1336CD992D346CAF9A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:17.660{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A755139E032599262099214FB371AAD,SHA256=0A3AFF499788132F37005EF45B6E1C3EF2DD81A78646D459920A2B96AC5856A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:18.774{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCD0B09E11DA7645CC5D1BE9C4A3A32,SHA256=2501DA15753EB11F252E12FF4528768D99B982FD75B5FF01BD6089C7B16E0B6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:18.771{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4884F71FD1454F1995E3FD1D28BDB5AF,SHA256=B5377BE550FD070ED44D1F55357A42135F5B78490231BEB0B38760E445A991DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:19.865{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D679A6D6D39E744ED44DA8AC7525AFD,SHA256=CBCFEDAEE71D9EBC41400E726CF889D933663F8B1643AB30A3AC82BA107DBEB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:19.857{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDAA3728D91A63FEC009AE537BD3D4E,SHA256=4618802C8D9BBB93B644DF357F64250618A80E0A1FD9099CE3A03B26814A3A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:19.732{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6B45757ACEF90F80B9D549735D78A3F6,SHA256=C4F53D23E2DB1649F60E0ABB24A10AE332C2ACCCBF196998E7FFD1663EC9D79A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:20.937{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F23A10F07AA4EF2A36666D1DC8A138,SHA256=79A9AABBAB0606F64D00B2327862BEEC9F50DC5656A677B3E172539C11F7FC18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:20.961{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED6BBC481CDAC97A7A311A0F22503E4,SHA256=1055A1DF2E719D80BBBA8724D06A5DF034A858D8E1697DB8CF459CF1D29DBB55,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:17.827{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59796-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000235444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:19.433{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52183-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:22.031{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5AE31F1ADB491212B302FA435A2AC2C,SHA256=6F52750C23C955DF44B13717339C365F6980D50F76F74C6D027245275E35EB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:22.028{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D80A5CC708E08819630519C448D8426,SHA256=DB1237838F2278B22ADC36B9D0094C97F6549322B470B9D512AEF1AD44D32128,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.802{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.797{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.794{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.788{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.786{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.768{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.762{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.759{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.758{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.756{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.749{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.744{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.726{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.716{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.705{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.696{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.669{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.655{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.648{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.635{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.626{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.567{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.564{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000354236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.128{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1110D954089947DC5E546F4D7C83160,SHA256=F019D602917F1B4F718DC372D0228A3CD98696661A41DCE69413D0D4EB6A5450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:23.655{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-207MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:23.127{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0D13933310ADCBFF915253114BECA0,SHA256=1BF7CF17E56DB3AFF2BF2A96AD81968C556F4AF863298CC2D5D78575689DD69F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:24.194{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CCC6825DF5B2977FE14494AF7141E9,SHA256=665069A5CCFD751D695717612CB00D4DAF5BEDDAAE0F050CCE2CF69BA1D9E1F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:24.188{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:24.185{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000235449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:24.665{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-208MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:24.195{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569A67B14387CECCC86CF9026A4F5F23,SHA256=A2B26830CDABFFA3D1FEED95AEFB7551BFB5720F738C4C5F4F5F0B27C486915C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.727{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59797-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:25.255{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0323500CB0A5ADD2B01E44BB8E200049,SHA256=1DDAF8CDAAD964822F994D8208561376AC2538FC7DCF56F9A4F3C94A93A2EAD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:25.280{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F11A70CC3CB7250D47BB528BB2A7CD,SHA256=1C13271C876BBA95AF78ED75A0A0E013CE2DA13B030A5F3CC1CBDB4ABE460044,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.998{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.997{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.972{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.964{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.961{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.960{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.958{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.955{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.950{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.947{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.935{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.884{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.876{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.873{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.870{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.847{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.835{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.797{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.786{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.775{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.769{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.768{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.765{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.762{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.762{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.759{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.758{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000354272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.340{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D0E6726D281A4E8F17ADDDBE6E5175,SHA256=ADECBA7A64DF26F2AAABF3F954D6730D49F050606FDE12A04891ED40F42EEFDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:26.364{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59C3BC6768A8E4ECB6D7E4B2AE90CD1,SHA256=E6427594565CC71A35E93CB1E723493E426F3ADDFFB69C6C8974C492A6464824,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.235{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.233{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.230{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.045{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.045{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.044{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.029{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000354333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.658{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181BB10886D063D10962FB67D65E790C,SHA256=8168916B27E53AD7A7B182F8C1734D14DC5ADC59B2419BF305689472A91255E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.658{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308077924ED24AAF7015BE6CAEDBE3F1,SHA256=6AF60743E3547C6353E1EE3D27828035FB652ED218679A18D036EF9496B9308C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:25.397{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52184-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:27.460{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4804B0EA9A9E64A565ED71B3CA687231,SHA256=8EABDBF1A81EA357EC1835C5A150D42B5E9B98CB21C7A42ED52A78C4A91C71E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.127{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.123{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.118{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.107{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.104{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.101{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.099{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.096{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.094{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.091{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.088{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.085{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.082{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.078{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.075{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.071{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.068{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.065{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.061{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.057{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.050{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.045{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.042{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.033{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.029{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.019{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.017{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.014{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.012{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.011{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.001{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.000{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000354357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.787{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3AE5F5914FD680D4C2513985D38A9D1,SHA256=DBB64F64BB51E5E5203B8F60EB4A42EC10B0DB3A7EF2C08135CDBE9DE8007460,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A64-6352-A407-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7A64-6352-A407-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A64-6352-A407-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.704{30B46F62-7A64-6352-A407-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000235455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:26.358{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-62852-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000235454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:28.548{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AD3FB534C97DEFD7B8923E9ABE4425,SHA256=06FAB5E211F6CE805229C66252020341E17C799ABCC73C667110056DE1D5B327,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.288{30B46F62-7A64-6352-A307-000000008B02}991610208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.093{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.093{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.093{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.092{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.092{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.092{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.039{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.037{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.037{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.036{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.036{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.036{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.036{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.034{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.788{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA687F2940439A93EEED5630FE0EA42A,SHA256=066BBB5D8CF1DBCB38A1D7F4B2D4A5714113261B877A55EB354DDA5E8C6999E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:29.634{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A566DB841AA3D6E332491AD2A17BB31F,SHA256=0CDCC27DB06104D045097B9A129F6FAF462C254C4AC7BEAF86E10CDE8433F62B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A65-6352-A507-000000008B02}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7A65-6352-A507-000000008B02}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A65-6352-A507-000000008B02}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.204{30B46F62-7A65-6352-A507-000000008B02}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.121{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=221E8B89ADFDA68FBA551D5D12CC375C,SHA256=9C50A22902AD5F7B91B7AD879D2BA8B42E26FA30C4B5803BD1D276426936A770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.105{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E54D6D9CAAD3FBC35174BCB3AD5E6EAA,SHA256=53754D874BC7B15DED523E371AE6759AC3521BE521CA9F62159D80851404EA29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:30.905{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE463AA091978B1210AEBCE02C531A6D,SHA256=4693FEECE255AF17E02CC9A4B3805AB3710542E6A0A0028DD438DCB7779E2082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:30.723{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B52916194BA40990DD607597715410F,SHA256=A5B1221E5F12F6DB03F48D227078C3954712F3A2BF8ECA66918E4ABD22D7DE41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.995{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.993{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.981{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.975{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.968{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.960{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.951{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.906{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.895{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.881{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.860{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.847{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.829{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.826{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000235458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.816{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB2AF0F96B707A45C233BA2E5D6BD69,SHA256=F3ADFAB68CEE7ABA0C3CBBD828E6B215AA5475FD31044B80B0826B1B2B57441B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.605{30B46F62-7A67-6352-A607-000000008B02}101409384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000354379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.684{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59798-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000354378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A67-6352-A607-000000008B02}10140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7A67-6352-A607-000000008B02}10140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A67-6352-A607-000000008B02}10140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.390{30B46F62-7A67-6352-A607-000000008B02}10140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.361{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E1016919AA2742F5B22C60F721785E09,SHA256=B581A476A12AF1C14915C774EF74D93BCD7A87E3A6732879ECAC6600C252D7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.837{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:30.468{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52185-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000235487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.033{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.031{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.029{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.026{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.025{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.023{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.022{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.021{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.019{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.016{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.013{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.004{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.003{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.001{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000354382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:32.793{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:32.023{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7BB58E2DD710DFEE3594E7050C5288,SHA256=85CE7B753B12580BBA016AD9F3E898550CA397A9B4B06FE7F25C5458CC9D031C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:33.860{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94CBC492F270850A0E1B50CEC2D8598,SHA256=F8715B0F7FC4D4CF262E1A654D1CA9856FC9D918B11D473D3EDD9BDC31CC8479,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.883{30B46F62-7A69-6352-A707-000000008B02}47606164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A69-6352-A707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7A69-6352-A707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A69-6352-A707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.694{30B46F62-7A69-6352-A707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.093{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B400E61979191E47B44D0184C4D5E0DF,SHA256=9EF999A13F89E3F4998C190E51BBC492CF8A2A9D45B8B7ADCACBC534C1FC584C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:33.366{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE785899E7D672F9F1596AF857B5608F,SHA256=85965A73BF6443EC2CE86A3F797B25460275C80BA567912B0E52CB4ECD0CB84D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:33.087{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575FB857F46C2C7F07F06F9257320812,SHA256=DBC371F8FA14061F7DBE14AAE000ED18CE1981F327603524EB1E9C45AB11D29F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:34.956{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B5E95BB96C43BC4A307C78AA5A84B6,SHA256=DB3DF95580029679BD9EF5AB6A05161028EBAD927E836C1393B4C6DB99F9C266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:34.894{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=73B17AFD1392D917C89B9D42482C23A1,SHA256=3A9415DC3D9F2330C555BB4373A5BCB54E77E993E64499E490B0DE2DBDF6A304,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A6A-6352-A907-000000008B02}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7A6A-6352-A907-000000008B02}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A6A-6352-A907-000000008B02}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.868{30B46F62-7A6A-6352-A907-000000008B02}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000354404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:32.388{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59799-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000354403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.610{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06840DF86667EDA8893B4828D5690256,SHA256=C725E726CDB3E060DD5530C01842237FA859B395543196202DDA2966E946540F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.610{30B46F62-7A6A-6352-A807-000000008B02}102127560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A6A-6352-A807-000000008B02}10212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7A6A-6352-A807-000000008B02}10212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A6A-6352-A807-000000008B02}10212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.367{30B46F62-7A6A-6352-A807-000000008B02}10212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.109{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35BF16A583D544F06FC21962CC178FD,SHA256=CA2106FA5FD97B77FCDCDFD0804344F103C7399A1AD338521855D2CF0E1E9FC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.059{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52186-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000235496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:35.931{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A1F135E163BC34277FAEC4A2D81E64,SHA256=163D9090536932F399AEC398FD40A4A36116F06F256D7F830EA831FC5938488A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.163{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59800-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000354415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.163{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59800-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000354414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:35.431{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-207MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:35.220{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305584E65AE8F5A0C7A4C7D6F47239E5,SHA256=EC73D494FADAC04CA88A6E1E5F65CED72934ED6EBD7B9833F1B1C40EF56030E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.799{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59801-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:36.430{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-208MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:36.373{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1034A63DED79B99DBCC1AD6848908A25,SHA256=D23A5F26BE9C1D428FAE6A7B13EA0F7B7D3DC1B201106F1A005C3F69ADD4381B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:37.447{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9948ED4B12F01FFA49C4DFBBDF54CA9,SHA256=07AE59808E279EFF1C97E7BB7F55AE21A34C41EF45C17303FCE51886FCF1FE2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:37.021{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431CC309AAE120CF5C3EED3C1D3CC7BD,SHA256=3F5E47C2014046CDF6F6BC0CDE511838EED6BB714E5D0F82D841206F0FB26C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:38.549{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83830E0D812E019595DA8ACB28E5B12F,SHA256=B3C8CB1224FFE5177FEAF960F2B8AA2F104823B025F8F1F162169EEEB3D76622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:38.113{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C6B682402E7C417F31ABCC09FBF894,SHA256=5CAAE322061DFD759A10BF20CDF28F1C37F774B768933A08E3F2D9D02491BC7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:39.674{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71D699BBFD2A98416F0B85FE1965BFF,SHA256=6453B7BAB9C69426EEB9578039E6E550668E42CF406669255C7104D8546D0B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:39.191{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B92958298283A879349F32E92B35273,SHA256=400EBEAF7E7ADB8027A573782323AD51318FB7112CF5A3F96DDE0D2D74AF8A41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:36.333{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52187-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:40.804{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574BFE09A13255D19153D22420E88A48,SHA256=561FB5C5828E909638016B71855BDB2BDF70027C9A9222827317CC8AB428ABF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:40.280{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DCE3578B152DC68BB4D37B15D71676,SHA256=057D80687987BDC81202A6C11C8B01DB96C32801071CCD508E16A6C7C978A8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:41.921{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029823B77276AF6EE9798A8815DC29F1,SHA256=643D1D6D562C1A5ED2E119C64722AAF35CEF4BC3BA9965C35117B0C2D4078FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:41.354{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E0FE385E7D1578C1B0387E8F4D5E80,SHA256=3F6BBAF70CAD8D6DD3603841F55D3AEE18ED1E4147865C033F5BC4EF108E5A50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:39.809{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59802-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:42.421{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284BD61110A4A136967B3EC9E957E374,SHA256=E9C08D4A2A6539512D1DD5F92F119A2A52F5DA8663DF17C97938ECEC7123D8C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:43.500{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980AC49F9996A6F263D502E32B73127B,SHA256=B9BFED4AB90CC6A932C2308BDAA6FCF056660B10AFA3D4F77B06CD71FA74DF4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.775{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.769{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.767{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.760{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.758{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.739{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.732{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.729{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.727{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.725{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.719{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.710{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.695{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.688{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.677{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.664{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.632{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.620{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.612{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.603{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.596{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.558{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.554{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000354426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.037{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F30467C21AE84039A63FB8E98DD7AE8,SHA256=A8A0AD98CCC8C6B35ADA6131B5E99354A22C3F9FF93A6B9EB24EC1BE4AB5AF76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:44.590{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC89C1449E4CA40C7D5DC164ABF4DD86,SHA256=1C3B5A8806BEA59918208480D9081B19CD005293FEF3C049CD2FD743E75A1C81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:44.152{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:44.149{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000354450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:44.122{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1AD11B45DC68FC1B7637853A8BE4AA,SHA256=ABD21517667CA686920A75832EC07F347E0CA391A54F17DCF842ABB933FFF205,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.894{EFF5EEA8-7A75-6352-6E06-000000008C02}24881248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A75-6352-6E06-000000008C02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000235510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61EA5C343EA12B52F731BB3AD4709CA4,SHA256=16A363C00C2FE23D71320C9BE572C509D50C667A24B514D22D4E014F64F46344,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7A75-6352-6E06-000000008C02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A75-6352-6E06-000000008C02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.677{EFF5EEA8-7A75-6352-6E06-000000008C02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:45.230{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2F63E5D17AD08D329C72BEDC725B18,SHA256=438189F61304D63AB06B7EB7B55BAD6FA13DC4B4B438167AC94EF6A2FFDB5A42,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:42.363{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52188-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000235550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A76-6352-7006-000000008C02}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7A76-6352-7006-000000008C02}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A76-6352-7006-000000008C02}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.841{EFF5EEA8-7A76-6352-7006-000000008C02}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.762{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFAADAD769C044BF8F7BC7317B0EBE2E,SHA256=6C0BB8ED93E83687420D842DFE3B852C94298D93A502A9778A4AE2A06727CD64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.998{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.995{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.992{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.989{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.984{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.981{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.978{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.975{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.971{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.968{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.963{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.959{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.957{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.952{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.946{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.943{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.941{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.940{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.938{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.933{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.931{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.930{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.929{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.906{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.902{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.898{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.897{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.896{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.893{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.890{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.888{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.877{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.836{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.827{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.823{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.820{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.800{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.790{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.756{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.751{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.737{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.726{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.725{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.721{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.717{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.714{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.710{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.710{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000354457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.308{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE424D8E0063985375A8DDE3078A04D,SHA256=DEF7AA79EA11745D6E7E931BB2F626ADF5561CD64A06CDAE893F41CAB023C65C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.603{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F21AFF2A3ED2BB60D8E909AFFF165BA7,SHA256=5137F74C4E4BACE29F7441A96100CCA6FEE93CBF1603CA5A2DAD11FCD35E5554,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.345{EFF5EEA8-7A76-6352-6F06-000000008C02}30282764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A76-6352-6F06-000000008C02}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7A76-6352-6F06-000000008C02}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A76-6352-6F06-000000008C02}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.177{EFF5EEA8-7A76-6352-6F06-000000008C02}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000354456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.186{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.184{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.181{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 354300x8000000000000000354553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:45.813{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59803-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.410{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204ADE9E35FD8A09EBA1DEFE3A9C0921,SHA256=95023AF43FF0D78147CD150E86FD60B2E01A5F9C7CD944A26B5215744C0F1F6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.666{EFF5EEA8-7A77-6352-7106-000000008C02}26481084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.652{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000235569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.652{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000235568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.652{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7A77-6352-7106-000000008C02}<