23542300x8000000000000000354097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:49.735{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C32846EA13F36CAF3B33745D53D11E,SHA256=AD87207D36A8DEF39B6AAEC5147525EEFAD02D68F4CC4CFCDEF933D7D1C3EFD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.839{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7A3D-6352-6D06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000235344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A3D-6352-6D06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7A3D-6352-6D06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.680{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A3D-6352-6D06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.681{EFF5EEA8-7A3D-6352-6D06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.508{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=06806E82E7094721F6D79BC46AD3C421,SHA256=5546A210F36AD15932B695B5BF425FCC282B453DA9A02AFC50EF794F4D581C80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.214{EFF5EEA8-7A3D-6352-6C06-000000008C02}9723120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A3D-6352-6C06-000000008C02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7A3D-6352-6C06-000000008C02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A3D-6352-6C06-000000008C02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.060{EFF5EEA8-7A3D-6352-6C06-000000008C02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:49.058{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=830394697FFB145E353C15604F9681B3,SHA256=7939919D8B108AED6086F88149A7BD1C76E171E5474F30343A7D2F27F2E62754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:50.786{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196A18E52459D1904859717DF4B950A6,SHA256=856AAC1B73F8DEE6B08D271C47F0C9A760AB3639A9949E078322C7E8F0E6D1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:50.258{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4293D80EFD1BA6C8D4947D8AA3848643,SHA256=3AA4A287071202DCC3A0509A6AABD588EDACB506DFAF12029DE144BCB234B33C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:47.854{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59791-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:51.842{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=129DA1224102F60A465B513B464F544A,SHA256=46197EF116A393FABCC963B7F8744FE0A57771926E94F1D83BD38F8B08FE7BED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.997{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.996{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.995{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.991{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.987{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.983{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.970{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.966{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.960{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.951{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.948{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.935{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.928{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.921{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.908{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.898{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.870{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.864{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.855{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.849{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.843{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.824{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000235347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.392{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D5FCE189DE2E0AB435C727A5DCADEB,SHA256=B2A3D6A2D4B9497F3E9729CD3442271DFF048E748D07091FD1F01EB71E7678A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:52.912{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39580EABB8418005F217A77F67D7AB1E,SHA256=D3A7CBD089B9C2DCB3E938361DA9E85E609ECB2D915BF5D0A40E98C0BD36F2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:52.627{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD9D585462C9D4730D356B5F3D84DA3,SHA256=964C6AEE9D713613E783AD6528EF06212C5B9EEDA03AB944B1C5BAE1DFB6D0E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:52.010{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:52.007{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:52.005{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:52.001{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:52.001{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000354102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:53.974{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6555659C77DA5BDB62A4054E99E24FB,SHA256=64D815194A7BA02575F81DE5FB97C7F2D5C566F0EA42AA2DFFA84A543E96F670,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:51.316{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52178-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:53.661{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64616BC8625C5330D3A590701C9CE95A,SHA256=7664C5DB3D81C849EF232996F83E9880BBB04381D3CB2DB3F4B7DE97A152D3DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:54.750{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726CB5CF8A905D0213937FA8AC4F0B44,SHA256=3B14CFD699A22698930463E2C382A0C6E57C5F26FF46196B6627465C909D68C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:55.856{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B504472FCD1F2BF41C4A45C0BE24D1B5,SHA256=152A0360F290AF60B171C82079E6C16E25AC8EF68077E100247899521C484723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:55.016{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16B3880372268517CA7C8D31E3F47A6,SHA256=93C077906131B7B4863DAD5FF0239B3F67005ACBE4CF8883E3357D933BE2FEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:56.956{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BADEA0D154D08EF2AED97F6FC1E2D44,SHA256=6D49755D8DE46810F33BDAB09665FE2D70AA1BBBA8C10CD696D5006D2C6251CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:53.836{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59792-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:56.078{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E5C2C888F640B785F35255AE9FD318,SHA256=7B3DF04CB0BA518135034EC2C66DA1967728C8FDE80EF0B0DD75A964596BF2E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:57.121{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC759C2814D5A5030703EEB53FDA0F1,SHA256=B7991512A36CC09409C59B354072F9B6C09BE9E412DCD4EECE701E9EEC0E6362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:58.183{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3975B7139C616838165FD953147CE22B,SHA256=090E816EA3C43AB48A738EBD8A9B5711AFF251BE2E6778C342844386396E0BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:58.042{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BF01BB855B164D2C8DE33032BB14ED,SHA256=D781316465960FA148E9628B469FAF915754BE6B22A2565199CA34E4BA79688F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:59.325{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824661944F0401D9B75F54C49F42F079,SHA256=FDB938B9A5AAE612D4E8D54BABB7E8A0FB742A66AE65710F5DFC08B3FEE955F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:59.139{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1415E8153A47E8AA26FD49C4EA1D6CE5,SHA256=EFFB49DDEA8D7A4C5B01F3F017C20E6299FECAF7E99CE53E9231645498AE5DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:00.385{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86321D42C652DFC26CA956F3890BAB7,SHA256=D5632641829133A1B60C42F94AF34F79277BDE35EC95454C8690B2E3A600DF72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:00.230{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FEA79B9AAB62BFEC8B6781F5FEEAD3,SHA256=659E58BAB1434509DA1482482AE58A3FBB4E04EEDBA40B9A5390C759D336C879,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:53:57.292{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52179-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:01.486{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9245CC890C817E05F31224A097925711,SHA256=6C5745878F03CB00737093EAD67A8F11EEE42F9922C65E4E6BCE22CC6EBCE8A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:01.305{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C140E7278036C97AAFADC7334559A71,SHA256=0E06B4C992103FADDC86EF5B6BD8A2A62477194A42345C925F39D7DA22851636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:01.127{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0238A15C2814A0B770C27861A5629470,SHA256=8D2C8E00C2F26F3CB718BDF2578F10B93A8AE61F6C3B2BB82D139CE148002A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:02.556{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318979F0ED867296A9D37D3C1705633F,SHA256=78F7CA2EF260696F2B8CC897DF40061950EE10665DC7642840DDE59EF230AC5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:02.399{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FD489FF3C88CC80E34F5F3CDAA60F7,SHA256=C5D16979B0F10E345722C1208939B804C19A94BAA5A29B47B15F1D1EA18124FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:53:59.760{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59793-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.960{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9039CF83501EB6EA43F495857FF8458B,SHA256=9D260CE797094F7CD64EFC40AC5790D6FF2F50B79E794DF9C695BE46145B3A6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.870{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.864{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.861{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.855{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.853{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.832{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.823{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.820{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.817{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.814{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.803{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.796{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.770{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.752{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.735{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.717{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.679{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.660{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.642{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000354118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.632{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED1A82F35E6C493841E6AE11E8DE787,SHA256=42CA4DB85F751540C4668EB5EECC333AEB94D555E2D483DF7BF00BCA07C21685,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.623{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.595{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000235389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:03.493{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E87F7B571FE24B099890839D50AE2F,SHA256=8CCEF3EEF99DF4FC230B1F735D125D055465B2D1F5AB073F500897833BD965D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.550{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:03.547{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000235390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:04.573{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEFC313290BCA06A76651DA5BA41EFA5,SHA256=3452ACFB89C5B8C6159641BEB1A9B2874CBA892E4495E215A11DF2D4176CE062,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000354151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000354150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00c31e41) 13241300x8000000000000000354149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e533-0x0de4c4f2) 13241300x8000000000000000354148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e53b-0x6fa92cf2) 13241300x8000000000000000354147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e543-0xd16d94f2) 13241300x8000000000000000354146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000354145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00c31e41) 13241300x8000000000000000354144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e533-0x0de4c4f2) 13241300x8000000000000000354143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e53b-0x6fa92cf2) 13241300x8000000000000000354142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:54:04.931{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e543-0xd16d94f2) 23542300x8000000000000000354141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:04.658{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82F0FE0956656DA748A0D9688B26F5E,SHA256=9709DB0AEC7B99018CD7DE49E2F8BEFAB746873F2A46C0E20A6DCCE5DE11D7BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:04.332{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:04.329{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000235393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:05.879{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E4FBA125E8CFB83CB2A145B7AF63549A,SHA256=DC9B0AE838EC7CC0AFFB31A605A0FF09C3CC90F63764936FAEB58F276D774554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:05.651{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9CD9176FF755F862550E25F25EBE51,SHA256=D917852C2FFF4E2CFCDFD1D355DDE5CE1D5BB80D4E0F7CCA9E66FF412BA4542A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:05.760{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4AF2A5556936A0F644994A98333857C,SHA256=D9C215762045B15491D751DD719657AC29A60B2B95BE32E159CC691F38A2E64C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:02.496{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52180-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:06.736{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C26FC73C948E6391578C3D57FC99E6,SHA256=2CDED1742572806436912081B133D500602BE6FD4385F90373567E19242D1253,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.981{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.974{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.972{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.969{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.954{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.945{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.920{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.915{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.902{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.897{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.895{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.886{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.884{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.883{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.880{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.879{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000354156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.862{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7FD70CC4479BB3D94030DC8A8ADB46,SHA256=2AB30A1E76042C1BB3EDF49D254E18DB5F3E5602749A609A86D9504BEAC033FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.364{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.363{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:06.361{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000354217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.966{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F3E532ECA39ECB29B0519E0C63B15E,SHA256=C2C64BEB7327CA67597D9D5758150755E088DEC190321C3C2A72B74A23CF071C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:07.809{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0F6397063EDBD841769FF4090F5647,SHA256=ED0DFB768E17336C4EB0AA774A1658553F2BBDFE02BA882B92DA99BB6515D205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.434{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE1A6750E3742168692A0A9C9CD8DC1,SHA256=FB14D6B3D9178C07896918649F59116D5DA23334867C1682FFDC5003370D4FD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.144{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.142{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.140{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.138{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.135{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.133{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.130{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.126{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.123{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.120{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.118{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.115{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.113{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.109{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.106{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.103{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.100{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.098{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.095{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.093{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.090{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.087{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.083{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.079{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.076{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.073{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.071{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.070{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.069{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.068{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.064{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.062{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.061{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.061{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.044{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.041{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.037{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.036{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.035{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.033{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.029{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.027{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000354173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:07.016{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000235396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:08.897{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2018D1CD8447EEAACEF7927686678EB9,SHA256=A06B0251AA383FF8CC33C6D42A614D626F6378F5A88F7F7B0E717665B7EA9661,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:05.782{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59794-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:09.972{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76AD97898650674EFAA8F5DC08A3313,SHA256=83FDC1A9CA1263CD7B7D7D62080BE04541F29AF406C1D5A5196869981AD9462A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:09.079{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3823A80E851C7AEEBCC0998C054F53,SHA256=A0B194B4F4311844BD109DB3DAA391E2A40A590270A375CC3B238B91ECB48311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:10.180{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B49A856D0107E2A95B1C92B75D392B,SHA256=5BFADBED1936C11583F54F2683A276452F0E804C464A925FA914555942216314,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:08.445{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52181-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:11.297{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C5BEEFAA4EA744D67E8F92B49EFBA1,SHA256=F39C5F7ED96B719E64973AA6213122B5BBCD0596D184D9A2FCAC03A94AFEA4AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.991{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.987{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.984{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.975{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.959{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.958{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.949{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.946{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.922{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.908{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.900{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.893{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.868{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.863{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.854{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.843{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.830{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.821{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.819{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000235399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.064{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A938437476B07F1B6360B8B0E9B0C86B,SHA256=85556A05EAA24CBCD32B28C3E2642D193AEB1F7F6672D4919959BF4390F896FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:12.315{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0738B4C59A1A1137DE0EB586D4159FD8,SHA256=230B297B80AC7BA273CD0D5335BB00683D4CD8990FD2A6CFAF3EE2038B97ACBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.306{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3FF4B0AE28E8AFD1136BBC1D0D04D1B,SHA256=03184D77E856BBAD2A3C2E7DC7C3608520A8BC94B42C05F672C95412A6E69355,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.018{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.015{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.013{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.010{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.009{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.004{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:12.001{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:11.995{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 354300x8000000000000000354224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:11.789{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59795-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:13.369{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4EE1B9A94BF9856A0C6407C31D0CDC,SHA256=9D1E7272EFA0E15D278149C9284B335AF34D68B4189CC654F025FEBEEA4144D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:13.333{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB242105DA1BE5AC7CE924E036F81B9F,SHA256=3472D60A9E2D522A94219EFAF1F0E37DFB01DABFF3CA07E56C68FC09C6047766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:14.470{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=445247CFBC162A8949B29F8F77DAA455,SHA256=053B8E28A524A5CA2A7C392BC645DCCC7A30D5985E1F1949C486D0023917F163,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:14.431{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:14.431{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:14.431{EFF5EEA8-485E-6352-0B00-000000008C02}6283944C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:14.415{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000235431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:14.407{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0FD06514CCE33F6E7AEF3A5ACFD715,SHA256=9BE7EC5B0D7FBA99DB3933AF5E80F3E3EF9FAB8790ECEAE62BFF55F7B5FD6213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:15.944{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4928.xml~RFc34949.TMPMD5=D777C4FF4D0FE2AF046674A553B5BA40,SHA256=4E51C513F20A061CDD46B203229FB664D4B776DAD877EF7FC8069A88A4BEDD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:15.544{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4618EE3A2E1630A225E3D5A98A8423B8,SHA256=7409045032A39BF967CE15D5C4EBE3F851552D5206A19A835F98AE05CA1AFB4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:15.488{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E710D16988870359BC6F145F1627934A,SHA256=C485E324A488271B426F3804C39EC696CC2850934D4B34CF974CC0C7D699026B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:15.021{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA6DCA7795440314F127D0E253F166F5,SHA256=8E5D68AA120742D479133757EC360342375D4EF4AAF9B8FDD43CA96DDA706080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:16.622{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F6726A08A0251BE9933FFBAB121809,SHA256=B6EE5A52B4921CEE5EBD8DBE18055B64540B2B6372EAF05A5818A2C8FD6A0C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:16.573{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9100F140DB696D5F6B49FB00BB8F2BA,SHA256=8037F76485E205E466A33B80C55727598BB7061492C6F5A7B137F309EE5D7A4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:13.464{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52182-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:17.746{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7A759BE82C31D7F343E1F060AD0521,SHA256=008488DB9B29A849C2D01938DCDE9082ED8FE3D534DF1336CD992D346CAF9A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:17.660{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A755139E032599262099214FB371AAD,SHA256=0A3AFF499788132F37005EF45B6E1C3EF2DD81A78646D459920A2B96AC5856A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:18.774{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCD0B09E11DA7645CC5D1BE9C4A3A32,SHA256=2501DA15753EB11F252E12FF4528768D99B982FD75B5FF01BD6089C7B16E0B6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:18.771{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4884F71FD1454F1995E3FD1D28BDB5AF,SHA256=B5377BE550FD070ED44D1F55357A42135F5B78490231BEB0B38760E445A991DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:19.865{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D679A6D6D39E744ED44DA8AC7525AFD,SHA256=CBCFEDAEE71D9EBC41400E726CF889D933663F8B1643AB30A3AC82BA107DBEB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:19.857{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDAA3728D91A63FEC009AE537BD3D4E,SHA256=4618802C8D9BBB93B644DF357F64250618A80E0A1FD9099CE3A03B26814A3A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:19.732{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6B45757ACEF90F80B9D549735D78A3F6,SHA256=C4F53D23E2DB1649F60E0ABB24A10AE332C2ACCCBF196998E7FFD1663EC9D79A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:20.937{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F23A10F07AA4EF2A36666D1DC8A138,SHA256=79A9AABBAB0606F64D00B2327862BEEC9F50DC5656A677B3E172539C11F7FC18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:20.961{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED6BBC481CDAC97A7A311A0F22503E4,SHA256=1055A1DF2E719D80BBBA8724D06A5DF034A858D8E1697DB8CF459CF1D29DBB55,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:17.827{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59796-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000235444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:19.433{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52183-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:22.031{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5AE31F1ADB491212B302FA435A2AC2C,SHA256=6F52750C23C955DF44B13717339C365F6980D50F76F74C6D027245275E35EB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:22.028{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D80A5CC708E08819630519C448D8426,SHA256=DB1237838F2278B22ADC36B9D0094C97F6549322B470B9D512AEF1AD44D32128,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.802{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.797{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.794{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.788{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.786{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.768{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.762{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.759{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.758{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.756{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.749{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.744{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.726{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.716{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.705{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.696{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.669{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.655{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.648{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.635{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.626{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.567{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.564{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000354236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.128{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1110D954089947DC5E546F4D7C83160,SHA256=F019D602917F1B4F718DC372D0228A3CD98696661A41DCE69413D0D4EB6A5450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:23.655{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-207MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:23.127{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0D13933310ADCBFF915253114BECA0,SHA256=1BF7CF17E56DB3AFF2BF2A96AD81968C556F4AF863298CC2D5D78575689DD69F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:24.194{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CCC6825DF5B2977FE14494AF7141E9,SHA256=665069A5CCFD751D695717612CB00D4DAF5BEDDAAE0F050CCE2CF69BA1D9E1F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:24.188{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:24.185{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000235449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:24.665{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-208MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:24.195{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569A67B14387CECCC86CF9026A4F5F23,SHA256=A2B26830CDABFFA3D1FEED95AEFB7551BFB5720F738C4C5F4F5F0B27C486915C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:23.727{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59797-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:25.255{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0323500CB0A5ADD2B01E44BB8E200049,SHA256=1DDAF8CDAAD964822F994D8208561376AC2538FC7DCF56F9A4F3C94A93A2EAD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:25.280{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F11A70CC3CB7250D47BB528BB2A7CD,SHA256=1C13271C876BBA95AF78ED75A0A0E013CE2DA13B030A5F3CC1CBDB4ABE460044,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.998{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.997{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.972{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.964{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.961{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.960{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.958{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.955{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.950{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.947{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.935{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.884{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.876{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.873{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.870{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.847{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.835{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.797{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.786{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.775{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.769{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.768{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.765{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.762{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.762{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.759{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.758{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000354272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.340{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D0E6726D281A4E8F17ADDDBE6E5175,SHA256=ADECBA7A64DF26F2AAABF3F954D6730D49F050606FDE12A04891ED40F42EEFDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:26.364{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59C3BC6768A8E4ECB6D7E4B2AE90CD1,SHA256=E6427594565CC71A35E93CB1E723493E426F3ADDFFB69C6C8974C492A6464824,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.235{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.233{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.230{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.045{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.045{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.044{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:26.029{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000354333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.658{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181BB10886D063D10962FB67D65E790C,SHA256=8168916B27E53AD7A7B182F8C1734D14DC5ADC59B2419BF305689472A91255E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.658{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308077924ED24AAF7015BE6CAEDBE3F1,SHA256=6AF60743E3547C6353E1EE3D27828035FB652ED218679A18D036EF9496B9308C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:25.397{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52184-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:27.460{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4804B0EA9A9E64A565ED71B3CA687231,SHA256=8EABDBF1A81EA357EC1835C5A150D42B5E9B98CB21C7A42ED52A78C4A91C71E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.127{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.123{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.118{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.107{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.104{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.101{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.099{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.096{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.094{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.091{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.088{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.085{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.082{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.078{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.075{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.071{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.068{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.065{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.061{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.057{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.050{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.045{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.042{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.033{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.029{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.019{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.017{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.014{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.012{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.011{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.001{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000354300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:27.000{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000354357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.787{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3AE5F5914FD680D4C2513985D38A9D1,SHA256=DBB64F64BB51E5E5203B8F60EB4A42EC10B0DB3A7EF2C08135CDBE9DE8007460,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A64-6352-A407-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7A64-6352-A407-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.703{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A64-6352-A407-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.704{30B46F62-7A64-6352-A407-000000008B02}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000235455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:26.358{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-62852-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000235454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:28.548{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AD3FB534C97DEFD7B8923E9ABE4425,SHA256=06FAB5E211F6CE805229C66252020341E17C799ABCC73C667110056DE1D5B327,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.288{30B46F62-7A64-6352-A307-000000008B02}991610208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.093{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.093{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.093{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.092{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.092{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.092{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.039{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.037{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.037{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.036{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.036{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.036{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.036{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:28.034{30B46F62-7A64-6352-A307-000000008B02}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.788{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA687F2940439A93EEED5630FE0EA42A,SHA256=066BBB5D8CF1DBCB38A1D7F4B2D4A5714113261B877A55EB354DDA5E8C6999E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:29.634{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A566DB841AA3D6E332491AD2A17BB31F,SHA256=0CDCC27DB06104D045097B9A129F6FAF462C254C4AC7BEAF86E10CDE8433F62B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A65-6352-A507-000000008B02}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7A65-6352-A507-000000008B02}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.203{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A65-6352-A507-000000008B02}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.204{30B46F62-7A65-6352-A507-000000008B02}7972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.121{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=221E8B89ADFDA68FBA551D5D12CC375C,SHA256=9C50A22902AD5F7B91B7AD879D2BA8B42E26FA30C4B5803BD1D276426936A770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.105{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E54D6D9CAAD3FBC35174BCB3AD5E6EAA,SHA256=53754D874BC7B15DED523E371AE6759AC3521BE521CA9F62159D80851404EA29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:30.905{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE463AA091978B1210AEBCE02C531A6D,SHA256=4693FEECE255AF17E02CC9A4B3805AB3710542E6A0A0028DD438DCB7779E2082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:30.723{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B52916194BA40990DD607597715410F,SHA256=A5B1221E5F12F6DB03F48D227078C3954712F3A2BF8ECA66918E4ABD22D7DE41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.995{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.993{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.981{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.975{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.968{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.960{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.951{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.906{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.895{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.881{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.860{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.847{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.829{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.826{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000235458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:31.816{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB2AF0F96B707A45C233BA2E5D6BD69,SHA256=F3ADFAB68CEE7ABA0C3CBBD828E6B215AA5475FD31044B80B0826B1B2B57441B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.605{30B46F62-7A67-6352-A607-000000008B02}101409384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000354379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:29.684{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59798-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000354378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A67-6352-A607-000000008B02}10140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7A67-6352-A607-000000008B02}10140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.389{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A67-6352-A607-000000008B02}10140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.390{30B46F62-7A67-6352-A607-000000008B02}10140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:31.361{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E1016919AA2742F5B22C60F721785E09,SHA256=B581A476A12AF1C14915C774EF74D93BCD7A87E3A6732879ECAC6600C252D7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.837{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:30.468{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52185-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000235487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.033{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.031{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.029{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.026{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.025{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.023{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.022{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.021{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.019{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.016{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.013{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.004{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.003{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.001{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000354382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:32.793{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:32.023{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7BB58E2DD710DFEE3594E7050C5288,SHA256=85CE7B753B12580BBA016AD9F3E898550CA397A9B4B06FE7F25C5458CC9D031C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:33.860{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94CBC492F270850A0E1B50CEC2D8598,SHA256=F8715B0F7FC4D4CF262E1A654D1CA9856FC9D918B11D473D3EDD9BDC31CC8479,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.883{30B46F62-7A69-6352-A707-000000008B02}47606164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A69-6352-A707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7A69-6352-A707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.693{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A69-6352-A707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.694{30B46F62-7A69-6352-A707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.093{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B400E61979191E47B44D0184C4D5E0DF,SHA256=9EF999A13F89E3F4998C190E51BBC492CF8A2A9D45B8B7ADCACBC534C1FC584C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:33.366{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE785899E7D672F9F1596AF857B5608F,SHA256=85965A73BF6443EC2CE86A3F797B25460275C80BA567912B0E52CB4ECD0CB84D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:33.087{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575FB857F46C2C7F07F06F9257320812,SHA256=DBC371F8FA14061F7DBE14AAE000ED18CE1981F327603524EB1E9C45AB11D29F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:34.956{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B5E95BB96C43BC4A307C78AA5A84B6,SHA256=DB3DF95580029679BD9EF5AB6A05161028EBAD927E836C1393B4C6DB99F9C266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:34.894{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=73B17AFD1392D917C89B9D42482C23A1,SHA256=3A9415DC3D9F2330C555BB4373A5BCB54E77E993E64499E490B0DE2DBDF6A304,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A6A-6352-A907-000000008B02}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7A6A-6352-A907-000000008B02}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.867{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A6A-6352-A907-000000008B02}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.868{30B46F62-7A6A-6352-A907-000000008B02}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000354404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:32.388{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59799-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000354403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.610{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06840DF86667EDA8893B4828D5690256,SHA256=C725E726CDB3E060DD5530C01842237FA859B395543196202DDA2966E946540F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.610{30B46F62-7A6A-6352-A807-000000008B02}102127560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7A6A-6352-A807-000000008B02}10212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7A6A-6352-A807-000000008B02}10212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.366{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7A6A-6352-A807-000000008B02}10212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.367{30B46F62-7A6A-6352-A807-000000008B02}10212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.109{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35BF16A583D544F06FC21962CC178FD,SHA256=CA2106FA5FD97B77FCDCDFD0804344F103C7399A1AD338521855D2CF0E1E9FC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:32.059{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52186-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000235496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:35.931{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A1F135E163BC34277FAEC4A2D81E64,SHA256=163D9090536932F399AEC398FD40A4A36116F06F256D7F830EA831FC5938488A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.163{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59800-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000354415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:33.163{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59800-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000354414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:35.431{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-207MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:35.220{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305584E65AE8F5A0C7A4C7D6F47239E5,SHA256=EC73D494FADAC04CA88A6E1E5F65CED72934ED6EBD7B9833F1B1C40EF56030E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:34.799{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59801-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:36.430{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-208MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:36.373{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1034A63DED79B99DBCC1AD6848908A25,SHA256=D23A5F26BE9C1D428FAE6A7B13EA0F7B7D3DC1B201106F1A005C3F69ADD4381B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:37.447{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9948ED4B12F01FFA49C4DFBBDF54CA9,SHA256=07AE59808E279EFF1C97E7BB7F55AE21A34C41EF45C17303FCE51886FCF1FE2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:37.021{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431CC309AAE120CF5C3EED3C1D3CC7BD,SHA256=3F5E47C2014046CDF6F6BC0CDE511838EED6BB714E5D0F82D841206F0FB26C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:38.549{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83830E0D812E019595DA8ACB28E5B12F,SHA256=B3C8CB1224FFE5177FEAF960F2B8AA2F104823B025F8F1F162169EEEB3D76622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:38.113{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C6B682402E7C417F31ABCC09FBF894,SHA256=5CAAE322061DFD759A10BF20CDF28F1C37F774B768933A08E3F2D9D02491BC7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:39.674{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71D699BBFD2A98416F0B85FE1965BFF,SHA256=6453B7BAB9C69426EEB9578039E6E550668E42CF406669255C7104D8546D0B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:39.191{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B92958298283A879349F32E92B35273,SHA256=400EBEAF7E7ADB8027A573782323AD51318FB7112CF5A3F96DDE0D2D74AF8A41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:36.333{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52187-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:40.804{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574BFE09A13255D19153D22420E88A48,SHA256=561FB5C5828E909638016B71855BDB2BDF70027C9A9222827317CC8AB428ABF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:40.280{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DCE3578B152DC68BB4D37B15D71676,SHA256=057D80687987BDC81202A6C11C8B01DB96C32801071CCD508E16A6C7C978A8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:41.921{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029823B77276AF6EE9798A8815DC29F1,SHA256=643D1D6D562C1A5ED2E119C64722AAF35CEF4BC3BA9965C35117B0C2D4078FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:41.354{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E0FE385E7D1578C1B0387E8F4D5E80,SHA256=3F6BBAF70CAD8D6DD3603841F55D3AEE18ED1E4147865C033F5BC4EF108E5A50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:39.809{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59802-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:42.421{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284BD61110A4A136967B3EC9E957E374,SHA256=E9C08D4A2A6539512D1DD5F92F119A2A52F5DA8663DF17C97938ECEC7123D8C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:43.500{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980AC49F9996A6F263D502E32B73127B,SHA256=B9BFED4AB90CC6A932C2308BDAA6FCF056660B10AFA3D4F77B06CD71FA74DF4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.775{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.769{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.767{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.760{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.758{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.739{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.732{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.729{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.727{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.725{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.719{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.710{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.695{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.688{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.677{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.664{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.632{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.620{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.612{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.603{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.596{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.558{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.554{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000354426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:43.037{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F30467C21AE84039A63FB8E98DD7AE8,SHA256=A8A0AD98CCC8C6B35ADA6131B5E99354A22C3F9FF93A6B9EB24EC1BE4AB5AF76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:44.590{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC89C1449E4CA40C7D5DC164ABF4DD86,SHA256=1C3B5A8806BEA59918208480D9081B19CD005293FEF3C049CD2FD743E75A1C81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:44.152{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:44.149{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000354450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:44.122{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1AD11B45DC68FC1B7637853A8BE4AA,SHA256=ABD21517667CA686920A75832EC07F347E0CA391A54F17DCF842ABB933FFF205,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.894{EFF5EEA8-7A75-6352-6E06-000000008C02}24881248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A75-6352-6E06-000000008C02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000235510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61EA5C343EA12B52F731BB3AD4709CA4,SHA256=16A363C00C2FE23D71320C9BE572C509D50C667A24B514D22D4E014F64F46344,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7A75-6352-6E06-000000008C02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.676{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A75-6352-6E06-000000008C02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:45.677{EFF5EEA8-7A75-6352-6E06-000000008C02}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:45.230{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2F63E5D17AD08D329C72BEDC725B18,SHA256=438189F61304D63AB06B7EB7B55BAD6FA13DC4B4B438167AC94EF6A2FFDB5A42,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:42.363{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52188-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000235550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A76-6352-7006-000000008C02}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7A76-6352-7006-000000008C02}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.840{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A76-6352-7006-000000008C02}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.841{EFF5EEA8-7A76-6352-7006-000000008C02}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.762{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFAADAD769C044BF8F7BC7317B0EBE2E,SHA256=6C0BB8ED93E83687420D842DFE3B852C94298D93A502A9778A4AE2A06727CD64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.998{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.995{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.992{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.989{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.984{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.981{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.978{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.975{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.971{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.968{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.963{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.959{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.957{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.952{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.946{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.943{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.941{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.940{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.938{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.933{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.931{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.930{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.929{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.906{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.902{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.898{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.897{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.896{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.893{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.890{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.888{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.877{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.836{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.827{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.823{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.820{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.800{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.790{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.756{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.751{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.737{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.726{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.725{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.721{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.717{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.714{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.710{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.710{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000354457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.308{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE424D8E0063985375A8DDE3078A04D,SHA256=DEF7AA79EA11745D6E7E931BB2F626ADF5561CD64A06CDAE893F41CAB023C65C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.603{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F21AFF2A3ED2BB60D8E909AFFF165BA7,SHA256=5137F74C4E4BACE29F7441A96100CCA6FEE93CBF1603CA5A2DAD11FCD35E5554,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.345{EFF5EEA8-7A76-6352-6F06-000000008C02}30282764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A76-6352-6F06-000000008C02}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7A76-6352-6F06-000000008C02}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.176{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A76-6352-6F06-000000008C02}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:46.177{EFF5EEA8-7A76-6352-6F06-000000008C02}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000354456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.186{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.184{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:46.181{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 354300x8000000000000000354553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:45.813{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59803-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.410{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204ADE9E35FD8A09EBA1DEFE3A9C0921,SHA256=95023AF43FF0D78147CD150E86FD60B2E01A5F9C7CD944A26B5215744C0F1F6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.666{EFF5EEA8-7A77-6352-7106-000000008C02}26481084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.652{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000235569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.652{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000235568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.652{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000235567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.652{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000235566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.652{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000235565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.652{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000235564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.510{EFF5EEA8-7A77-6352-7106-000000008C02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:47.012{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B9E354CE1ABE45696EE896636F1F4F,SHA256=B04F2129F018902ACB0617ECC79090CAA705A55FF8D3903CCAA5711082463C6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.226{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A228F8D0DB1ED75AC55C0ABB687D75,SHA256=DD6A39D38A3ECD6AB34835922334771661566074E7ABF4BBE9AF43F363066AAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.045{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.045{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.045{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.045{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.045{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.045{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.044{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.044{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.044{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.044{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.043{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.042{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.042{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.042{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.042{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.042{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.041{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.041{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.038{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.034{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.031{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.026{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.022{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.017{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.014{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.011{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.008{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.004{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:47.001{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000354554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:48.528{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD22605B20C1B8548B0CE658A5B60A40,SHA256=0FC4BA902C6FADA7CFB59EC913F5472D106E71DE19852E63C6C96267076D9343,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A78-6352-7306-000000008C02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7A78-6352-7306-000000008C02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.814{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A78-6352-7306-000000008C02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.815{EFF5EEA8-7A78-6352-7306-000000008C02}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000235586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.302{EFF5EEA8-7A78-6352-7206-000000008C02}19923348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A78-6352-7206-000000008C02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7A78-6352-7206-000000008C02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A78-6352-7206-000000008C02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.135{EFF5EEA8-7A78-6352-7206-000000008C02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.133{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078D1DCE049CFD0D9CB3AA14B945FDB6,SHA256=B434C38178243CC8A87F867AD311ADC546A60D15F712E1E031AB8932536770FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.904{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5744D27E848EF6AD22CEA17DA8CBE625,SHA256=1F38A7ACCDC79870E036631908223C5B948CFD3272B2FA09B23BACDC4A1F8AC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7A79-6352-7406-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7A79-6352-7406-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7A79-6352-7406-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.497{EFF5EEA8-7A79-6352-7406-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:49.253{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A049B62EE7E873024813571C8EA3C1C,SHA256=48A0A10BE9E3BA60521008C193D10BEC9F9CDF8E6427654E61C809C8ADF3CADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:49.614{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7EFBCBF2B47809CB64158502C26510,SHA256=ED6585D348938AF4081131DAE10D7664A366383CF62D9B87676F7B90303382D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:50.589{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5317F6500645D76E74DE7407E8F014,SHA256=6FFB08E15D8872D3DC21295BDD81037115D6CC3B7D1A4C90B9D1970B8888F7AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:50.715{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA49C9F318E7DF0AD2384F0CB687B3E,SHA256=7460E4D2802B2CFAEF7569A94DD5968D73DCE0F2FA1635E5022660C612C26A6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.991{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.965{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.959{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.953{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.945{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.934{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.919{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.882{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.869{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.858{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.849{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.823{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.820{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000235617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.686{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D8EB183696EA48000CF984A85DE5ECF,SHA256=4554F0B5E73068D9BD262BB76EDC5DA2739A56C38957EBA4C06E77DD17B156F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:51.832{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D02F7C29529A0AEBA177A44E36CB0B0,SHA256=B350B8205C6CB23D0B2EA69B97F6D48D75D50C5E3D00D548638F8B7EB2C4B6D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:48.297{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52189-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:52.850{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2784A7D1D17197F7D50A3C3EDE621D6,SHA256=AD1A87FDD72E4D985516AA8D29F297E8C0FC23CBD0BF5C53DAD3C72B86DE64B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.039{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.037{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.035{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.033{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.032{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.030{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.029{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.028{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.026{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.023{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.020{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.012{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.009{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:52.007{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000235632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:51.998{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 354300x8000000000000000354560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:51.724{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59804-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:53.869{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F36D60EB691734135184022AFDDA732,SHA256=5742191A19AF6A818094E3086B128C7AE49C90132B840BF0103776DF184B3A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:53.077{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA8A04D2EA611E3C2E63D3F7FB37163,SHA256=88000E0EE1BB08BC49A3BB71CA44ABAEC883AE68B72E34107DCF665976BF2855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:54.955{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7F4687D2753228939C23DC30A03955,SHA256=B3FC83C9E2B35848E51061123F82B192E14269EE01F8B441DE256C795051CE5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:54.187{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBB9E8956513F3AAF149ACB7E13DC75,SHA256=605689CF0018AD011592F5078B04B7956D87F9B0346483A5DB3DF7F696FC1497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:55.260{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C112B3F7B8BF5999575C0F829F5503F,SHA256=18BBF651BF79769E1F04CC25F8A3E45EC208FB40C6D29C2907C6C25E6E51EA51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:53.467{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52190-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:56.350{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F86C530780BF85D34F7FF3C07B8A78,SHA256=F23B3CC4AD08FF64B203E9E2D5E5DC5E60DF82ADB3D5330F7EAD47693A852E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:56.040{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31691A79607290AC8C9B266A2E41CECC,SHA256=D683DCF1993EA30C92BB226D1B943C3C6A64505A32A2C137711CE65265331857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:57.426{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDEE753E7ADECBB031442CB518B08CBE,SHA256=DE4100E0595213391314D2884C38AE68255A523E95796746E460B01F69526E7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:57.141{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BAA6379273ED6BED600AE8B295CDF2C,SHA256=6F12AE1E06820A6C831DDD8652CA3F5A88D0C9821EEEA4450E513A52240691A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:58.502{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526675884A5B8D87AC8F5A39A8DB6D25,SHA256=381DF344FF8AEA01819CFEC4969E25F95EC5C1DA982296853A91E15466EE7BA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:56.880{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59805-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:58.227{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D0A86CE0383F5173B94E8CFFC10FB4,SHA256=7B83F4B462BA826251B97B3FE003BFC0094F44457007318EB2DCCF79802353EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:59.585{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8134479FE05EC74B6DB1C5A3848751,SHA256=10772612714F988F7C809E87F5DB533E172B397A879FCCA0AAB29A36C78C5DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:54:59.328{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3C0545F8D9C51196137A1E89AAA6B3,SHA256=13C082B958C926C5E988E0A763ABF5E66B903169837BB33C3C6C5B4FA4594A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:00.673{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221CC8335079937B29210A40B1851B28,SHA256=5632F92F0EDD9BB264CC14D85780A99E89A49D3C6ADB15A8C666F70942283EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:00.378{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6845AF31E98852FDD8FE93A357AE4B,SHA256=7CD7ABA42391FEFDBF6A60AD82DC958437C5741F921CD643DD97539452579172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:01.759{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D93585F5FDC6ABECA807D248B500F1,SHA256=4D1F7AB069CEB7488B87606176BF67232AB76FCCC56B4094F9895DF018AAD353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:01.455{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E9A8AA563F4C08294C3FC73284FAB9B3,SHA256=0C4FB85C67BE5B04F9760E7CF0C9ABD2AD5D9E7EAF324415BB1B76210F9E00A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:01.455{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD5ADFA7CDC4FE92D004C155BF3A0D8,SHA256=1DF952E56126194A872100E4E351709F6F7ADF100ECCB8918448FC4D9181D7F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:02.846{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A517D01BDA23C6B7ADAA9DA03C1AF222,SHA256=E40A39115F75A59D08FD39F21FEF7F06666063DB6BA79AF46A67C80C677219FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:02.563{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E1155DA09FBF37BD33283470116DDC,SHA256=77149C939ECAABB80051C9AC28CA930A433C568D633569D120346A627571D134,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:54:59.396{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52191-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:03.941{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F622602566B82BEF2FC0FC8EEAF784A2,SHA256=E3C02A2D545AF996B291E86F472E61576B30C51DB403BF563BF53820A3C9C020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.964{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=94430173FACAB71984A3BD11E46E9A28,SHA256=C866AB0787F24F0DB8D72C16E6C278FB009E6A6596C1B09542266BAD4A94F005,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.864{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.856{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.852{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.843{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.838{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.816{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.801{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.793{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.789{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.786{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.772{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.766{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.729{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.702{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.686{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.678{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000354578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.659{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81D9405B170377F8D2201DB2F3D21027,SHA256=E3D4846365D05E513DD0B5E36313A6928938642FF444A5564FD2AC1813490259,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.641{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.627{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.614{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.601{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.589{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 354300x8000000000000000235659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:01.123{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-64908-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 10341000x8000000000000000354572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.541{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:03.538{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 354300x8000000000000000354599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:02.628{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59806-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:04.708{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434C07953797C739901A21C20A244669,SHA256=8C80DEBAF4A94C422CCB41AA92291B002C4F072DE231145F98C170A543164342,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:04.438{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:04.433{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000354600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:05.837{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219DD60BD194FADB19FD0F8F47556F1E,SHA256=4B7AD7B28622CB694EEB60326D944C1B517DB169CDE9F814953DDCB875BBCC1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:05.892{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1A44952600A89D6A6AE7EEC56C9C00A3,SHA256=9E1091E2AD760808B3E0A57D035568583C553CEE6E7005D6755A1C6EAD548B7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:05.697{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=527E3B36A0C00FD8970885A47E8480BE,SHA256=D7E9ED19D8F25036E3F7F095B7B3D1F3389B10C70AEB222C35A24A9D237A8C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:05.019{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4476CAB50FE3E6118702BF8D0BF58A7B,SHA256=135D18ED22E30AB2C1B4013829E79352A72108E42633FFCA3BAC2F0540AE2B72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.997{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.990{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.986{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.980{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.977{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.976{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.973{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.971{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000354604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.938{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66964A119CFAEB1C3DFA3EDC87F12FA,SHA256=21F06E956AF2CCB4119547BC2409EAAD619965F5103A9A86BA1EB9265C93D7AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.457{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.456{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:06.453{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 354300x8000000000000000235665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:04.424{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52192-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:06.111{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17577A2ADCD41500A43B47332FBD6F44,SHA256=F860CB0275693DB9D23128C6AECF62FD6BDD7EEF66235880152C415EC60FF44F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.993{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC0496F7BB0C05D772DF10DD920D5D9,SHA256=41F4E5876DBA506ACAD1834F7D53F97809BD238C37C6A1207C9C097DF5DFBA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:07.197{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC3ED94D1BB033202D607D1429F112E,SHA256=B8D7461CF938E368D18C220B02462ED0952D11D25E6D53797932E7014151F03B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.453{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB9F183EEFFCA32EA74DA67B8C84E2E,SHA256=8185B5C25F3E3F17C5AA93B417373CBA370E2FFA2E60A7B60D250E1B952B80CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.297{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.295{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.293{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.290{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.288{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.285{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.281{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.278{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.274{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.272{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.269{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.266{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.264{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.261{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.259{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.256{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.253{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.251{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.248{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.245{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.242{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.239{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.236{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.233{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.229{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.226{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.225{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.223{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.222{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.221{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.217{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.216{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.214{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.214{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.189{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.186{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.182{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.181{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.180{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.176{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.171{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.169{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.153{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.105{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.093{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.091{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.086{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.063{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.051{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.018{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000354613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.010{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000235667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:08.283{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519C28EF658FD8FA8E5073A2965192B0,SHA256=0D723DC7DEB11B4F373B2DC93FCFB4301D043ED5E858DEC39378DAA1809B798D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:09.364{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF227B927F63BD7E70F5BBB1F8DE3E33,SHA256=018A79AAF0B9735C6C8E231E4089D2C4A46FA16342B0A8A5182D21BBF73ED1FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:07.662{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59807-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:09.088{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDDC55DF11A8A2979015299D1675A46E,SHA256=19C04EB5FE9D062937FAE9B77F9D1307AE6AE739F53EADAFC3E9AD590BFA0EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:10.452{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D25FDBFC28B42F473FDB6AD5C43BA2D,SHA256=EE676965C30483C046F5B91087517F6B388159DB6BB0B2194A06B7EAE4DD3A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:10.240{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED72ECC945F4E8603C2CA2D9140D00B0,SHA256=7F601B92BDFCB9F46CAC944B5542749C8875F4A55E8DAF9EBD7B5A2026470087,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.997{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.992{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.989{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.979{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.976{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.974{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.967{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.964{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.952{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.945{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.937{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.927{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.920{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.911{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.887{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.879{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.870{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.854{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.831{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.825{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.825{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000235670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:11.542{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E158E392D407E3600B43EE201580D8CD,SHA256=44887648956CCDFD87721DF5460DD36077E11EC12FB70F154BD1E10227EB45B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:11.271{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C03932E4F29FBE200438BA4BC51ABE8,SHA256=AD028146FF1CECD4B0C7D8D161CE670F1F4015C82ACCF9C86FD9BDD93889CB32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:10.450{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52193-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:12.855{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD8CD81863F3ECB56DD2FA6EB60D764,SHA256=13D5332972FB22C60C16B306D53B0CC5D9E78E1D7754EDDF7B7C52FA5F13B977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:12.439{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F476FB06A51524A26EC40CF79C53809D,SHA256=71ABF93D6FB8186674EB881419DC2BF4CD4F73255FF35E32743F893587D67CA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:12.025{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:12.021{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:12.018{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:12.015{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:12.015{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:12.011{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:12.010{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000235692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:12.008{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000235702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:13.934{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9F1FA3876049E41521E6A78ED0607C,SHA256=B9664E90D53E77C7F8B382B737621EB976327CB1D92D7681E210EACD96059A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:13.470{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E773866C824EC49B0C1C973ABC3BE2,SHA256=D113E51DE24998C4065B7B2C0DCB3DEC59789D8579F680BCCDACC2BCA9652C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:14.589{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F065DB086B36384563B0ED623B34BD6D,SHA256=97C1F19934FB5A0FB1F97B4A505B090B1DFB6FE630899F59457ECBE5B51E23BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:14.901{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6AA5E5706A14091AE2F6627D35536EEA,SHA256=C3D7690BFD8138BA4E3B155C0B860F697D35ED8F2128EDB3D06D7AEA763425F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:14.428{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:14.428{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:14.428{EFF5EEA8-485E-6352-0B00-000000008C02}6283944C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:14.416{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000354674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:15.625{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87ECF54688A5D7565AEEC9E3DDED05B,SHA256=99BC0802B7C982F182E1B3ACC4CB990EC4433692B610CA36673E3339B4AB0B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:15.010{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA84F5E39B2EAEC849843A8ED5C08606,SHA256=CD7E2F900F3A125869E8D90E6AAE1C7526D6699B42707379D80E6B0873027609,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:12.694{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59808-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:16.754{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E807F153D2799F87F49F7DC005C0EE3A,SHA256=8B5D8285BB982EC290A541D0485765FC81A479E801FEF0CA66BAE98FB0682E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:16.112{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DACE0130F08DEF20CA532AE6CBCAAC4,SHA256=8ADF8022D408F2D5F637324B805A9229466CF48A512D1764E59EA782D69B3934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:17.889{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D16DFD187EE95B5F9B78CE2A920FAB5,SHA256=006257E528E9E1E1FBF7C3BCEEA4124E6DA2A6735BFE5B0C65007EBF9FF82FB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:15.471{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52194-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:17.203{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E59099544AAEB1695B5A6E21039320E,SHA256=A3832581E00E1BAEAC298D96F11468091B37DB7D058AB4B3243F373B9BDCDB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:18.992{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979E167EBCA942D086CA76B255DBBF46,SHA256=A98173F173760E5140818AAD913B1B44E13CA42E25C40E3A02D9D0C9BA169556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:18.289{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9D7A45E26AA8C96C7FC47CA245C5CA,SHA256=445FE4751970871840174F378AA2A56F43E70A2DBD7BBF12C0D41B48908F63FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:19.385{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C1B012A08ECBFED26BD4B927B7927D6,SHA256=F4C3B2EFEE0D47CEDD414201623915B84CF6AB9DD620104D5B71E1DE56697AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:20.465{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D830F1C1A23E8F03D09EE56FCA528BB6,SHA256=95BA777564A4A86E896FB161DC3EF894F13D987F3F06ACC4788AF4220CFEE1A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:20.044{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A465C5ADAF627717DFC8C07D712789DA,SHA256=BA50400C9D6CB360FEFDF69D3E7CEEA2CF1885DCCB313B56F9C033DE3A33EC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:20.109{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=53502902CC5E577A7558A5EFFEE88D95,SHA256=5D3C7863690FFEBB25134E58B66F63C1BA411E9B6E151D108D5A9A5DE5A88681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:21.546{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B33559F372FDA2BA2C79416659DD7246,SHA256=6705F53864E8D1F3BC46BBA8198D10A192C0C60A9A101A6ED2789177B2014445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:21.192{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8DD8E1F17781E44B6794C35D2EC07D0,SHA256=B4C9296B0A963472639428A47DADA70663E9C11D0726AB90A4B9A80D423352B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:18.683{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59809-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:22.642{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96CB9DBD60CC2EFFF9DD92B1E079F295,SHA256=7AC835AF719D2B1BE284CDBE9B2E522DC254EA52B0024F61BA1A8644BF1140CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:22.227{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B55346E9C6729E8834A14E2DA500F4,SHA256=B57182326432A9AC857F67FBAE4493F94515520C651CB970B6C25DE9EC8C1802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:23.722{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0615A0EDEFA04205291990F6B3029FD,SHA256=12A35F0610530C3997505F535971B12EFF93641166C33DE77EDD37711FADAF10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.808{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.802{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.800{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.794{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.791{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.767{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.760{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.758{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.756{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.753{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.746{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.738{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.725{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.712{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.699{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.678{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.642{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.620{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.608{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.599{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.590{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.549{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.545{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000354682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.328{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF1D9B0C3FB8018FB32F28DB85D81D4,SHA256=54BBD3BAD0D0ED97EFFAAC1CB8DED15FF8918A6834DF217EBEE7551AD366E458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:24.811{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF83CAEE681C87074CB04DEB66E3B6A,SHA256=979866EB6CAE412E6A167A5FE8718C1E16F0820074ED3A8016D738185491FF08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:24.360{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B558968CEBD9A3B9D80DDC8442BDA86,SHA256=E0DBD9BE90CD47999305C81B77D2E926C12A07AF0FC66E7698067D84D4B982F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:21.253{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52195-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000354707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:24.224{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:24.221{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000235722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:25.895{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AFB4E2240DB6DE7E113679A8E17578F,SHA256=99893BEEA3703106FBF413BBEDD70F9C9F0B1660FE82B0D6BC251257AD7A2AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:25.462{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07766D64CC6648877DF1CF27F317E24E,SHA256=13183606483DB079DBB9B5D8B81834A541E053F5E3270D1F53D582740F8D1127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:25.184{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-208MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:26.966{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062835B37FC2DFF955AD2B032E4B3C1D,SHA256=E9C2378A9657E0DD142794B7FA08D0C2C6C2A59521F842BA9D1CA708DC3FB5F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.997{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.992{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.991{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.990{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.985{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.982{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.979{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.965{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.912{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.902{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.900{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.894{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.867{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.856{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.832{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.827{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.817{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.811{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.809{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.801{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.800{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.799{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.795{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.794{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000354718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.599{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C7BF35427E8AFF4E5B942329E68BDA,SHA256=BE07B5BF194F27AB4BC5BE35410C0EFE1C1E3CD1FB9DEA794C812E76A74116C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:26.193{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-209MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.280{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.279{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.277{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.038{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.038{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.038{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000354711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:23.869{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59810-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000354710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:26.026{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000354780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.798{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B0B7D89030373228D0B49FC22C8127D,SHA256=4146A38D467B0523E4700751844735B674B469F7CB8F53FD6F2BA936F689A677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.213{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25FEBE707254335CEA4CA268B28374F3,SHA256=620BA3057DE556EDC32974E35648E832128B2FB8C7B30DA8D3ABBD5FD80D51D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.132{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.129{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.123{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.121{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.118{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.116{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.113{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.110{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.107{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.103{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.099{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.096{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.093{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.090{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.088{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.085{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.082{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.080{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.077{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.074{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.070{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.067{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.063{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.060{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.056{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.051{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.050{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.048{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.044{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.043{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.043{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.037{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.035{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.033{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.032{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:27.000{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000354799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.912{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52831439E8B6C61334C2357E6E12C0A8,SHA256=6C708812C7B99334FF3D832B7AA4A992C2E5104EE6E1457D0458BF8B03AF6192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.894{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=641CB6545C95502FB111D5546FEC79EF,SHA256=7C77E956798E83B56F07A177CE2EE5A4BB0E1D4C5B303D96700C12B4B4950B40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.852{30B46F62-7AA0-6352-AB07-000000008B02}903210228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000235725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:28.054{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A697943A0A3AF6D2F898D805832AFFC9,SHA256=9E2B368F5AA4E598C58CFDA21DC1EB3AACBF240CC92AC64BFC9F0951F72D13FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.618{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AA0-6352-AB07-000000008B02}9032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.618{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.618{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.618{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.618{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.618{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7AA0-6352-AB07-000000008B02}9032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.618{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AA0-6352-AB07-000000008B02}9032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.620{30B46F62-7AA0-6352-AB07-000000008B02}9032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000354788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.046{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AA0-6352-AA07-000000008B02}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.046{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.046{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.046{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.046{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.046{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7AA0-6352-AA07-000000008B02}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.046{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AA0-6352-AA07-000000008B02}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:28.047{30B46F62-7AA0-6352-AA07-000000008B02}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.932{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=555936E5BBF3795E2EF66826260CFD42,SHA256=040DD755575078F0C3570F7C4561F50202D5C9EA097E870AC266D2BDD897BD3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:26.418{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52196-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:29.137{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93AA852954F0D08027BEB02193100892,SHA256=06D04B978CB4F12A41EAC9EA635B9672F325D46298C261508082ACD1E2808CE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.276{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AA1-6352-AC07-000000008B02}7220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.276{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.276{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.276{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.276{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.276{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7AA1-6352-AC07-000000008B02}7220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.276{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AA1-6352-AC07-000000008B02}7220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.277{30B46F62-7AA1-6352-AC07-000000008B02}7220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.077{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CA9CF1EB3921B060EA1E2374C10069B,SHA256=D9BB27805B33D0091E253EC21CB47AE3D9C7901A3705BA8C5866F42767A5444A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:30.230{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78EEB51A7513F4075E8B95533DFCB3E,SHA256=5FCE0736974365C185942D118D1318A2C43EED9D424AAF76097A9E52E6F39A93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.995{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.992{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.991{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.983{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.981{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.957{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.943{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.936{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.927{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.908{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.893{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.860{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.853{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.844{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.837{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.829{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.822{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.815{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 23542300x8000000000000000235729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:31.307{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8DD57A940E96E0154D6969609B671A,SHA256=B8364F642BA1904D087E6C060759C38C5C03AA0C2AF35CB76180366EC4BA961B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.718{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D993899B815079F0E80A232564A2F17F,SHA256=0A78B53B2A03A46101DCDB87FC32BD1E623282E52A0146E37A72BF6C110E1E57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.618{30B46F62-7AA3-6352-AD07-000000008B02}13369308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.396{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AA3-6352-AD07-000000008B02}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.394{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.394{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.394{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.394{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.394{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7AA3-6352-AD07-000000008B02}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.394{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AA3-6352-AD07-000000008B02}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.392{30B46F62-7AA3-6352-AD07-000000008B02}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:31.060{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A9AA7B0A141CB06B0A907C2DAA5D66,SHA256=767C5FAB5DD7CDAA74A2407274865FEA34B928D86A131630B754B68105C3D647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.862{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.612{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED2283D2630F06F6343CA4AAA7766711,SHA256=D6A0430C61627362538B1DEDD390D07E42E2B85519EEFF69A0E87B77088F3B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:32.822{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:32.180{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7064637A487D4AC2EF44D91A38D664,SHA256=03F5737CD3BC23E8142090969710711C622C5FD745B9817522D9C23979B4D7DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.033{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.027{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.024{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.019{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.018{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.016{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.015{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.014{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.012{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.009{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000235748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.005{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 354300x8000000000000000354821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:29.754{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59811-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:33.706{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7A22BAD8B30EC1C6A681320201CACA,SHA256=C031E81684730A097A67A52DEEC1F24D1B9D10385E325B9D72FDAF49C4EEBD4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.909{30B46F62-7AA5-6352-AE07-000000008B02}97207368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.881{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.881{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.881{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.880{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.880{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.880{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000354832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.701{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.699{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.699{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.698{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.698{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.698{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.698{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.697{30B46F62-7AA5-6352-AE07-000000008B02}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.222{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6F29981DD20E3CEC6CFD8BF914D957,SHA256=E566796869922185031FF074DEB9B96A47579C65A21D881865A600FB1A05BBC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:34.795{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE24BC4BBB02A40374DA5DFAFEBCB9A9,SHA256=736BDD9F670BC7A96C370147C0380DF50177373FBBD6FDE4689C6EA2FCB6EC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.699{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BD32DCF3D5349826DDE68647061C54C,SHA256=654E36DD743747327F948C4DB59230E19CF048C0999A4FB9DBD70713CB64F16D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.564{30B46F62-7AA6-6352-AF07-000000008B02}93566468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.364{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AA6-6352-AF07-000000008B02}9356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.364{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.364{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.364{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.364{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.364{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7AA6-6352-AF07-000000008B02}9356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.364{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AA6-6352-AF07-000000008B02}9356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.365{30B46F62-7AA6-6352-AF07-000000008B02}9356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:34.348{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B5FC7E7C98CA74927EAB1497B0C2AAA,SHA256=600D9D1095EF9903193944B2869369F570022DD0DAC226070B751E2F535CD69C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.299{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52198-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000235762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:32.096{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52197-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000354840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:32.420{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59812-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000235765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:35.883{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59852B80FB87C678E95D1746351EBDE3,SHA256=9FA56455775A8865BA4D7037A8A562D5A9C470205553C15096675037ACEC7D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.479{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CEAF26873FC927B8887BE57A5EBEB2,SHA256=E2BDBA8585AA04ED4D1C954B017586FF4B73D9751485C69A4E3869D2C5446DC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.173{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59813-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000354860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:33.173{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59813-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 10341000x8000000000000000354859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.032{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AA7-6352-B007-000000008B02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.032{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.032{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.032{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.032{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.032{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7AA7-6352-B007-000000008B02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.032{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AA7-6352-B007-000000008B02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.033{30B46F62-7AA7-6352-B007-000000008B02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:36.969{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59FA83AB1423C3DF8D6D21A3F9803A5,SHA256=4701887192D609CA24803F9927AF641D9B622F9DD4384F143EA253714170C7C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:36.960{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-208MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:36.549{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE821A2910235BA5B42299B921392E18,SHA256=0E01F5F852963E5ED3CC7A7C0D3DF5956CF37ECEF0DF6D21043E0FF9222E77B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:37.969{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-209MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:37.597{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F43D34831692C3AEC08BCBDFBB062A,SHA256=8CCA8488FF4E9734A9C4BA8037E7A1C5E77E52D5D9DD6B40F8D96E5DF802EED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:38.733{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6559A516C44A9BA132B11D7D88C5CE,SHA256=3166BBED53E6D7BEC8C9CE87EA07CEF8E45527FF08294971A19DA9E727759A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:38.054{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFFF73855E36D994E3B303355D497547,SHA256=78345A0D638A2B0949C0F275B6370D8832B3D3585A86BC32A3D1B9C936BB5D95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:35.746{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59814-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:39.894{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BB9AB16425ED640886DA1342FB5E9A,SHA256=F00BE24E6AA4ED61F24C51011E5ED2BA78F5A89568BB15DD9F2AECD9414D7D70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:37.412{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52199-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:39.149{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5138F56A4E92C2EC56AA7F3F10A9F19,SHA256=96673FABC97371F103B46A4CEF0CD0C88FD05BB1044CD69D6FB109109C141F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:40.948{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B879F97EC6016A66A4BFDF832972AAC,SHA256=F4D93BCA924A085C819A5F0364312EA89742288315B5AC5795D1E749B07C00A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:40.246{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434FE5EF75663FA087B5960FC79A9210,SHA256=481BC3E2C826BF23FDA4365B81D643AA9F6397565BEB9B3862C790F3C74FF797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:41.982{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59593C30D9A4314D54DA1AFA5B1E202F,SHA256=9FD6A3697C303BECE961ACA8C23C5F28F6E7376A130766ECA145929C35074318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:41.327{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4BACC6E3C053F885DE4B85033D4A79,SHA256=F5F0ECDA8B9B751CDA2C04E4829E43428B9CB987A43D731B049C5634CAFEDE9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:42.401{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24366F13F57A4392218D39F64574444,SHA256=A4BC66DD471ABE1DE09E4BAC2F0EA7364C87737916ECAFD177C58355492832E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:43.486{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83037411E5C2173D4658F1A8828D043,SHA256=893ED9D27CE91119B3FF30C7392D6418B417848E28FABEF0C438B023E07AB433,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.796{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.786{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.783{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.774{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.769{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.743{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.735{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.729{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.723{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.720{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.714{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.709{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.693{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.685{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.677{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.668{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.637{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.621{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.610{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.600{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.585{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.539{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.537{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 354300x8000000000000000354873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:41.746{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59815-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:43.032{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F687F19229E3190CB8A8FDB3DC2FE3,SHA256=EAE100FB5F3CCBBB21C14FA2432D4ABF812915EDC91F4809E6DADAB2C7BC26C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:44.564{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA0E460DA25167C21579EA774A5D8F3,SHA256=D3ECB1BD9ECDCD1AB05079523596DD6BB5E1DFFDFF06E709FE9716C6AE35772C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:44.256{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:44.253{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000354897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:44.111{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED388D5B5B54DF60A0EE1BC81B60B9B7,SHA256=5F53E04B9C3FEF3BABB3A058B0F8332D3AB68B164984D6EB6B87C3D841ED0A89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.850{EFF5EEA8-7AB1-6352-7506-000000008C02}39643296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AB1-6352-7506-000000008C02}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7AB1-6352-7506-000000008C02}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.678{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AB1-6352-7506-000000008C02}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.679{EFF5EEA8-7AB1-6352-7506-000000008C02}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:45.647{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834937DBFE23D09F8F8D837EE1D3CEAF,SHA256=A1DAAAF26C359D244C1FE18500544B1B276157EC2597E92E79613DFEAB6F6390,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:43.334{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52200-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:45.206{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC5868AC84199C4256496E10EB6AC10,SHA256=2B26C58B9FB78A51DF017EC435047C0F1A9EEE9ED407BD864F1C207ABD240B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.788{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9A676E4A7701DBDDEB85339DFC38DB1,SHA256=2C35DC2A99E3AB6B6562CA969F1FC15E9221748461B276F61F56C93E404EFC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.742{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAA4C5B841C2F998EE31A5564F4BDFC,SHA256=CD8F7CEC6B5B44F3CF2D35DA73101B3462CF7F0689658B1B7285C95D3F14EB5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.998{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.991{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.974{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.903{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.894{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.893{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.889{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.872{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.862{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.835{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.821{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.813{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.807{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.806{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.804{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.802{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.801{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.799{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.798{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.285{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.284{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.281{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000354901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:46.234{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D0AC535E068E4CA9B37ECC9225CFA9,SHA256=BDAE1C8B5D0A2F2EEC9085BA6A236D5248FF91E171231A699A9C9EDD9705A695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.618{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E56190E3E32AF61D36C101AE1152FCD4,SHA256=08D320B2AE3EEDED73E88DBB3AB5A4DAB302E4FADA124031CBEFA557B2276A7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AB2-6352-7606-000000008C02}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7AB2-6352-7606-000000008C02}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AB2-6352-7606-000000008C02}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:46.347{EFF5EEA8-7AB2-6352-7606-000000008C02}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.943{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F336314D5E4FE7DC59FA0FFAF03E20F,SHA256=8A5A2323EEA17A3065475D014DCD0E72527016E68A3DBE15A61062A85389F1BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.324{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853B02C6E1A66567B01C594BEF37F21D,SHA256=439BEA0778B36463AAC86D990A6D4E36BC66F2C5D914A74EFF82BE82C3DCFA7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.257{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA6B988008FB8BFEB6ED58AA2BA40AB,SHA256=B02B04978CE5D35B7EDC82679F9CC1D0BB8FCDA94F59D0392874D0921DBCBB68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.740{EFF5EEA8-7AB3-6352-7806-000000008C02}15121996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.516{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AB3-6352-7806-000000008C02}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.512{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.512{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.512{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.512{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.512{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.512{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.511{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.511{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7AB3-6352-7806-000000008C02}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.511{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.511{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.511{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AB3-6352-7806-000000008C02}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.510{EFF5EEA8-7AB3-6352-7806-000000008C02}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000235819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AB3-6352-7706-000000008C02}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7AB3-6352-7706-000000008C02}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.023{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AB3-6352-7706-000000008C02}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:47.024{EFF5EEA8-7AB3-6352-7706-000000008C02}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000354963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.133{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.131{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.129{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.127{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.124{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.122{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.119{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.117{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.114{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.110{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.108{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.103{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.100{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.096{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.093{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.089{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.087{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.084{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.082{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.079{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.077{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.072{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.069{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.066{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.063{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.060{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.059{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.057{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.056{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.054{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.050{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.049{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.047{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.047{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.022{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.018{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.012{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.011{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.010{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000354924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.002{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000235862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.983{EFF5EEA8-7AB4-6352-7A06-000000008C02}22042468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000354966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:48.354{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23037AC91A9FDDBB56B4A0F9AAE92A7,SHA256=B0FD5928C7B7644675846CDE71632DBFF51AEC0E6CBC8E0B7048391DC9FD6D5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AB4-6352-7A06-000000008C02}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7AB4-6352-7A06-000000008C02}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.827{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AB4-6352-7A06-000000008C02}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.828{EFF5EEA8-7AB4-6352-7A06-000000008C02}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000235848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.393{EFF5EEA8-7AB4-6352-7906-000000008C02}14202828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AB4-6352-7906-000000008C02}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7AB4-6352-7906-000000008C02}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.162{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AB4-6352-7906-000000008C02}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.163{EFF5EEA8-7AB4-6352-7906-000000008C02}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000354968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:47.725{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59816-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:49.502{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049B4E18A66132334DBC25EDEEFAC2D9,SHA256=119FA4609E068CF7BF06972D75DE556AFE17D23173D1EF6BA63D2B4A4F7FD73F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AB5-6352-7B06-000000008C02}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7AB5-6352-7B06-000000008C02}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000235866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AB5-6352-7B06-000000008C02}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000235865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.493{EFF5EEA8-7AB5-6352-7B06-000000008C02}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.277{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E62D542F625757C0459F6EAAFD81941,SHA256=BEFD7DAEF57124010C2A068F0A1F11D3E7B5AAC7AAA3C0F5634A9D3B80D529F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.234{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2C17F466FF25D9E7CF1D13461D426E62,SHA256=B426B3105608F04D1E05DC9875D0E92B43F90BEB099B6653C27381FED5B9F69E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:48.426{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.205.25.54ec2-34-205-25-54.compute-1.amazonaws.com62650-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local3389ms-wbt-server 23542300x8000000000000000354969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:50.553{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=801795F107E311D043D03BF1CF685B7E,SHA256=85C6C5D2B3232941C78567E7CD91C2EFCE2703A6395E15F4B1362DAE67CF5F8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:48.451{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52201-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:50.136{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422524D6DDBB1D2207EF9F09E958B744,SHA256=3FB1AA8FE0EA6B60B9CBD7C5A3FA78ADC558392A5732FECA4A8E86702A7B0BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:51.683{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444153C467370542955316DD3F837368,SHA256=BA2C66102884D25AC27FC20E690CF78469F6413314A5954E99C9B14FB64DE3FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.973{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.970{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.968{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.966{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.965{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.963{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.962{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.961{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.959{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.956{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.953{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.945{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.943{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.934{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.931{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.918{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.912{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.904{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.898{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.891{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.881{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.855{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.849{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.842{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.836{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.829{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.819{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000235882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.816{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 354300x8000000000000000235881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:49.046{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-52364-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000235880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:51.207{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D7AA94897FE95BA134D34F5D33C5A3,SHA256=B799A9FA765241E1F272EF5C905C78D3D1D93E8C2F770A9049A527E8D0CA2853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:52.801{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8577FCC375ED13804809A73E43549519,SHA256=9FA40A3420472840F65906068405C9A4E93A3D489DB73BBB58874081B66A1B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:52.448{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C4C97EE284299ED6572216BA93DCAF,SHA256=3D9366E3DE2C90286E0D5AD767E45FBBFE03EB151C2FE83B0456FC2042095321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:53.968{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFA18ED0091037AFC22783E0828CAE59,SHA256=D82CACCE7E3A123B55A8A8A90B4561BF8D461D36507E9296A6C575FFCB52E254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:53.853{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1F612FC91F335B81DF45338EFFF4EF,SHA256=62831F6A429DB2E998F6A397CFCA6B3C6CCCD41321BCC28BF91393D80A0D32F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:53.487{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E218214EBF60D3A1D6EFA16FC4A938A,SHA256=13160DE24D1BB2095EAC0F063B3223BCBCB1DF532977A8CC0C1389371F2EC111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:54.968{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FDF0BB96CBC6B84CB41CE1E2C3CE681,SHA256=3F599A1DCADB000CD285CBACFE8250A76841E28EADB8C2D59D678C026D53A803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:54.563{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3A7AF3BACDA54B64D758740380A83D,SHA256=17D6A20AC01CF1D373AFEA3B43B5B3F81D0D0625AE145DC8352511483F5C90B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:55.776{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=998973CFEB96406CBBC37DBA1C8D3B7C,SHA256=5A8DCEDC8F2D55457472438D73803C82173A63E87DE76A3772774655CC35E1A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:55.635{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6545ED2B290921CB2691E92142E9B70,SHA256=AB11AE171028C909D839A91700A6341ACA67025999A4EAB5FC756C9BE165ADB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:52.824{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59817-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:56.727{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D988306284406D34045FB31F3709D131,SHA256=5F47B4F976B51F3B692C253F56EAE4075245547EA8B487FA2CDF588C299B09DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:56.069{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE40471CC913919EB1798759B14833A8,SHA256=9D1D45D79D8D6AB95EFBEF566FC88F3FE8B6E3DAC107FC56947FEDAD38295AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:57.821{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8141E21790156A1901E73F6A226E19FB,SHA256=4FAAE04DE11A007ABE5C4B3CAB89DE57DB6843D0A38FAEF256E02D2E56C3BCCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:54.418{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52202-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:57.184{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0953F82E377C6C883DAD7BA0349863,SHA256=3D8F4E0D5B2F7862115E57A23F8C0BC4D8C5CDED231ACAAC5C9DF09136AE98CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:58.805{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE36D03918BC1F52EBE9C13D1567C5C,SHA256=FAA3A9F49FB80DA28DF53769C7981E74DBEED4D746E152725AF8CCBFA584400C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000354983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:58.828{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\SiteSecurityServiceState-1.txt2022-10-21 10:55:58.828 23542300x8000000000000000354982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:58.828{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000354981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:58.828{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\SiteSecurityServiceState-1.txt2022-10-21 10:55:58.828 23542300x8000000000000000354980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:58.455{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=553D0C75F9C75B84E79B4FDB4C0BAF7C,SHA256=663F0971C68ACE15F3D7D565D4598200A822670144FA01E2D35EBF659E996236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:58.311{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=281827FD2026FB6E8C9DE31EEA238A74,SHA256=3F565C5557B23B5A8E3374A399EBAD60B548A4E6F897B659DF5DD205EE416C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:59.895{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F660C390A219734664EB86D9D8AF5EC8,SHA256=A24653084DB09E8D82A51869F2C986F739337066F58887A157890161E06B81B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:57.827{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59818-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:55:59.428{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B913C59BBAEECC686B9E1E7AD6AD82,SHA256=B05A01277330A7417AE989C19382EFFDE3969F579CB9D3C687BC5D78F9EECD2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:00.972{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2422048D16E7726EBBE0A044EF422A,SHA256=CDB4C34E5528C59A2EA34FEF2D83EFEA2210F4314A868441340683506EB10D88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:00.927{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=28DFAE07866F96B3317E1A3FD97537FD,SHA256=B68FEE5BFD41487508B8A7EE940C61A1C8AF22AC991B802B89A0C0695A85DC52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:00.570{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7257C1F1A2743760377B4440532C9CD4,SHA256=9E90B95D61ABDE6B74FFAD0876D4E1BEFE92E17FDEB5516CF045577B2FADB09A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:01.626{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D9D47903324859A644809866B9E619E,SHA256=CB21DF03F01CE203988A4CE6816CA57699D2DBA2C58C9AE160F371C1655775F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:55:59.504{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52203-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:02.742{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBF5F85F9A142B3D7E7BAAF36B5AFD6,SHA256=9D58A8E58ADB28D2D665EC2DA44EB9E4194EAC1DEB472E6224BAA84B28CEEEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:02.052{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17EA4A4903D1969D8E96CACC4E567EFA,SHA256=D41FDB2C457D97041110258FA6678ADB0CA725AE106EDF61F6E1A941B69DE8BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.964{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EEFF4591610CF5DC602EF5E2DDA6E085,SHA256=ECA9EB3D53B229565067071EB3D5ED1ACD556D7E2C61599F4C52916AB9631A89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.838{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.832{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.830{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000355010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.823{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9F4B54E7BD088F96CC3471BA59473B,SHA256=A13423E9F35B47E4AEB3283019A612E2F2B8A3203CE87C76F123023431ADD718,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.823{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.819{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.802{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.787{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.785{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.783{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.780{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.771{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.767{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000235924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:03.139{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF421806AB235E48CE7A14A17D2B4DE,SHA256=47B6E372365B847E5A9DBB728E8F83EF96B2CE845E07786BC886731B04BFFB19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.750{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.742{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.730{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.722{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.683{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.669{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.645{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.626{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.611{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.561{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000354990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.556{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000355017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:04.912{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988A19588B89EE6D3A2EC32A018B0633,SHA256=4412A35913E3E72790021196CCCE828E32777CDD461BB32692512968D2616A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:04.929{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=35CC27A62F91D27FFD94ABB6C23ECD50,SHA256=19D0C21BEC434514DDC225858A7C9EF28C2542757FC49110DFFDF1E89398B4A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:04.218{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941929A3E993C6214B45ED4511EA07A1,SHA256=02F6786FDAFD737DB3E9A30AF8E8BBF23F50FAE94858564B80E6817EB6F20988,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:04.344{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:04.341{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000355019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:05.959{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2DE51BE48288EAA10805928184A9452,SHA256=B5C122EE642C0CFC3338F64E95733A211968FDFA1E133296FCBD4D8B54A7B58C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:05.895{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7B214B88E2DD1F9FCE88C107D4D1E46A,SHA256=8AAD68C44DF78399EF7B20A2CF938216D60D346D1CE0A8A9F4F284A7B57E658E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:05.302{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C760BF3D128F4E0EA8BACFC6F8C607,SHA256=050DD41D6DE6F6B7456497B734F9B463E4F83E0F2172DB558B20BA81243714C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:03.786{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59819-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000355034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.987{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.975{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000235929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:06.381{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9BD88CE71EB7FAF97945BB95DE560F,SHA256=D8684A43F2365F85A4225369CDF01BF301C1A3376CEE4293E518D3CE492BADD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.946{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.937{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.925{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.919{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.918{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.913{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.911{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.910{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.906{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.905{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.394{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.393{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:06.390{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000235930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:07.463{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF98E0EE05C1F2EA79182E519E3216F,SHA256=D35D711DD0080805F234F9509BC399C2F76C8EA2F57797A074F3F7755DB00628,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.259{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.254{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.252{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.249{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.246{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.241{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.238{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.236{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.233{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.230{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.226{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.222{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.217{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.214{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.210{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.206{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.201{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.199{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.196{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.192{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.189{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.183{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.178{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.175{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.170{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.165{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.163{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.160{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.159{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.158{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.151{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.150{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.149{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.148{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.117{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.114{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.109{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.108{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.106{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.102{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.098{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.095{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.078{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000355039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.068{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F31688C27DB53C8A1ED3B5EB4F85A7B,SHA256=77B5EE74181458CD86DF6E3765E3AB670B24C4AEF21E929A85433B737C301D94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.030{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.018{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.016{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000355035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:07.012{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000235932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:08.555{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846343D4D19E34D8DC9E5CCA2B9EC34D,SHA256=F303D8D19BDFA2D69584AF38D04E6951B8B6A06F7355D67A92F5A118B04AE3BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:08.233{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6070F144383EDF21AA39E0CE329A45C,SHA256=D2D15056AF73ACCA7B9796E7C6F6BCD8D85074872609E03D56E089E61AD25858,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:05.461{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52204-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:09.626{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43050A185B0B9839DB205D880311789,SHA256=8B0C864356A4B3F31C3FA14727CA6E7D3843704415422AEB41990245341C3A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:09.309{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6829F972768C8A863AB7EB1CA5689614,SHA256=65AF2D330150936FDB3B6922044321FDEFCCA2ADE870C3C3784DEEE7D3A8FDD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:07.000{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52205-false169.254.169.254-80http 23542300x8000000000000000235935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:10.709{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE907B1D00340A3D2F2C58AA11EB761C,SHA256=40D35B79325763E8E3E4B972BD4E185DB2981457B0BD903BADDD763D5A85965D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:10.360{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7D7957D0A221EE034F6ABA1DB2503D,SHA256=2849384865CFE8C0C0907233B41C8250986EB18C0DF5978FAAEBA89825EA1272,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.991{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.990{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.974{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.970{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.953{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.947{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.939{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.932{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.925{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.917{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.881{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.875{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.862{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.854{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.844{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.829{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.828{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000235936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.814{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5785540547CE39593CD9D4363208E34,SHA256=2128EFFC3C420B98D1EE8EBD1A84B0324105E68EBF78950F6D9608D9AB967FBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:09.785{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59820-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:11.375{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A13C805CA996A64BFCBF313CEFEE86,SHA256=D46C23E6C8FC7315076D5E56B604EF831BECB59028E0FC52C93AB9B5C3D683F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:11.333{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=FB47EC98E4E711502A98C9B570058F6F,SHA256=1069EC5931774D1B500555F0E2E08C8F89CBA5A7D2869A2BC86AB3BDC236E3CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:12.516{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9D5A2803727900EE8E6850DE29302E,SHA256=43DEB8897036A0D5820605BD1B9DEB8BA90F2E0A4E0AA42F9C1ADC03261C6B2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.071{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.066{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.063{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.059{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.058{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.054{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.052{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.049{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.047{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.041{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.036{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000235954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:12.007{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000355090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:13.564{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31F2CC7E8AEEC514176877E84425803,SHA256=CA7A09320C3082FA74040AAC687BE5AC0952CD4D5966003AC83EEF48482CABD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:13.347{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F4A2F92877686A769F0A9220EA9233,SHA256=920CBD3476F1D9E53C98A188D0BF6A56CC20D46BC74E510509A8DDFB6073890C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:14.588{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F241028BCB174B6DDE1A6D2C9AC3A93,SHA256=0FF0C50EA081CB28590A8D8B21F6E4648D93A131355455EED3765B973735044E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:14.437{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:14.437{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000235970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:14.437{EFF5EEA8-485E-6352-0B00-000000008C02}6283944C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000235969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:14.425{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340696F62B9264096FAD56058170768A,SHA256=F820C638B39004EF859C0D677DB0EE83808D7FD11E9B863964E49F688408D36A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000235968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:14.417{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000235967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:11.392{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52206-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:15.959{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4928.xml~RFc51e18.TMPMD5=D777C4FF4D0FE2AF046674A553B5BA40,SHA256=4E51C513F20A061CDD46B203229FB664D4B776DAD877EF7FC8069A88A4BEDD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:15.616{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A7A2C97989B4BDF1C11C6AC69C6301,SHA256=2B98E365ED0BE44ECD1A8B78AAA7108157967A725F960E04FD2359C0AAF240F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:15.520{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E872E36A6EF98DC9ED5CD644B9F5EED,SHA256=BA9F1D4C6B48168D4A6D49735E818A3C3390B2AD11D4159C4E2C4FB4B7870FFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:16.758{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93D232201360051A58524B0B56C3B3F,SHA256=44988FB1348F9E6BDD48BF3210CDBF6680591B455DA5DBE66946CB5C0394744E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:16.610{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563DDC3206001FB010F9FBD1AB01C4B7,SHA256=C807C87697ABF8EEC7023C0D3311F4B48B2B424846C7470399AA7BA8CF8A764F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:17.812{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF24177866508522AF369E4C2D6A933,SHA256=0DDA5FA6CB8780AAE8F494DCDF03A93933699DAB954A2EEC9817BFA7BB2EE626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:17.703{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB476C6B771067F7CC3F31A41007E11,SHA256=3B9336A247094003FE365A25B4C9395A9648153EA31B7B468390A8ED64AE4F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:18.883{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E28EE6F8880E8D8515DDA47B537864,SHA256=65C603F81E375BF8011389AB0618D3C5D60B2A648FF465920007238432476DC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:15.757{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59821-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:18.785{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F217918D360C2508CBE54FB075DA3AB7,SHA256=66DDB577BC3B501EAEB692FC59832CBF0347B680F76F24C4851D75AAB337A3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:19.942{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECB1E9DB0E0225320E1B37F91322F2F,SHA256=21BB845D1F49CBA45F1E122756EE4EBAF7DD5CFC9177B74ADFFC05952A62E321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:19.871{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4122ABABC2AC95FF667DD7F95267559,SHA256=D68C64EA73397EF9E53DCE68F8C525620CA0179A4E4BA45188FD65E8757E8F05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:19.397{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=35A1F3492F1E3A1A1B6E1063BAA34E32,SHA256=60AEF45F5CE52FD50C71C0F6B4B9F5A4B3035A4FE411D3073069AF11A82B938A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:16.405{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52207-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:20.952{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEBC5FE2A9F83FA2CFB0180DFE08A617,SHA256=3FD5F61FC244CC06F794E19672DC517DD343E70A3284DECA1ECCE0625FDE025D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:19.131{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59822-false169.254.169.254-80http 23542300x8000000000000000355100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:21.044{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01412585C1024908732BAB58E2E29934,SHA256=DE3AA7B2902EAECEE569875AE5B2FEFB6A1787F7CD577B6895568F0C2D199792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:22.043{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924951728F99B8135FD6F649854E18E4,SHA256=B8104914DB57199C7C063B1F905FA804BD2CB89A2E5611FFFD86CF6CB4B69795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:22.103{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63859EC44054910DF0EA057B72A8404D,SHA256=7DAE80B2609566C83301860848EC6AA6260A0A4FA9CAC48B050BC84F608FF1CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:23.139{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FB1CBD04078A911545C3795F2D0386,SHA256=C264D60F7CED6AF50C98895B2E3834F856E071B1711EB4804EBFA7C5817C3B72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:21.772{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59823-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000355125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.836{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.834{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.832{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.826{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.823{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.802{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.792{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.788{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.786{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.783{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.777{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.771{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.756{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.749{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.731{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.718{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.671{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.656{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.644{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.618{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.606{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.550{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.548{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:23.175{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB8A997610F5593211D4080841B699C,SHA256=480D421E33996A9AEC15ED2D0C7A89397F243970A62F6E9DAD9CA5A26F0FBFF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:22.296{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52208-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000235983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:24.221{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03CFF34E847FFBA204F9CD8408F943F8,SHA256=EEB762629C25991DD8B00DB1A7FBFC8ED56C387EF7A21AD3665FF846491F5B86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:24.292{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:24.288{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:24.212{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19D08B3832BC03B3589344715FF2B24,SHA256=D40C5EC5B4193EEF5CEB9171FA16E618210FE1341FE795A3ADAF2337599CB2B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:25.315{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46B7148F8F85A2ACBAF967BBC7556E8,SHA256=BC775F148296FDEEC66F9711F7B35F663A90BEDA6E4B3C3B8973CE06057A298F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:25.252{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4AA888F37A9C81D1DEDF6C73B9F1D97,SHA256=B1FAFB70D06F6CC21FF48F748FC04FFCF8DEE29FF5BC8307E59B6960A7D49B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:26.719{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-209MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:26.400{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8FF65BD39DFA82E08935D20A6D065E,SHA256=0806203063E820DE89AF33B16E9C59746BCB4D517C39B39A976973E954BF01A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.974{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.963{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.961{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.958{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.935{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.922{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.885{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.871{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.858{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.849{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.847{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.843{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.839{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.837{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.833{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.832{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.353{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835837B519BD3807F7C900A3B96F3E35,SHA256=D645859619337C5EEFA462223EA99DDC3F9C41975CD49DF1A4504DAABD3074AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.313{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.312{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.310{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.040{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.040{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.040{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:26.025{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000235989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:27.725{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-210MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:27.489{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FB27E5B792A5FA61DB7FC68127D235,SHA256=7B53C46B5501F0246D51A827E1AC02D7EC17F63C121555F5C9750BAC563EC6D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.453{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB84EDC1BC07AD44C5E979D040E6D8B1,SHA256=3DF2C8E7D6D740997EEE4ABA913BE13F6C3B1169F671AFE427808D241D787C8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.252{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD2DEBCBBB90E154335BCB22AA4083C,SHA256=C518425F6A3D14AAEBA692BDB294FD3C94FEECA36F05998BF4E0A98FDF3D596C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.152{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.150{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.147{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.145{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.142{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.140{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.137{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.135{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.132{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.130{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.127{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.124{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.119{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.118{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.116{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.113{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.111{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.108{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.106{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.099{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.095{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.092{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.089{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.086{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.083{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.080{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.079{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.077{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.076{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.075{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.071{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.070{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.069{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.069{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.050{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.043{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.039{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.038{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.036{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.033{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.030{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.028{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.014{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.799{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.799{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.799{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.798{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.798{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.798{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 23542300x8000000000000000355217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.760{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=67D1F9DDD9494EB59BD9E474C3428482,SHA256=C1B3F8A444870D0FAD6E7605BB3475C2FB4BC528761DAC65C7A628EC78C4E932,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.682{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.682{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.682{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.682{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.682{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.682{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.682{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.684{30B46F62-7ADC-6352-B207-000000008B02}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.513{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09460002ACE0293B893362A78A6F55AC,SHA256=08937D684971287F042E19EA209C9DDE82EA0B3D014019B3E30F0F6958A003A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:28.595{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B600B82A2D2FB75906B91471F5D810,SHA256=64D28E063C8A4EE78F6E0DFD2DA13E0C643FE2E26B3CA758EC7D4B1E759608DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.055{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7ADC-6352-B107-000000008B02}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.055{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.055{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.055{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.055{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.055{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7ADC-6352-B107-000000008B02}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.055{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7ADC-6352-B107-000000008B02}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:28.056{30B46F62-7ADC-6352-B107-000000008B02}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000235992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:29.676{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C772FF8A398ABEA78CA1CDD175AB6A5,SHA256=43BC349364C23C765AD59B7BFCBA2DBD2A383C33EBB81B45C88B2E298262BFE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000235991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:27.439{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52209-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000355235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:27.681{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59824-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.569{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0E77E37DF61454CE74805EA28FDD46,SHA256=1FAD75B76DC8511E601463706DE7326E118E5AD06C5B5AA87B5D71BA1D631661,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.515{30B46F62-7ADD-6352-B307-000000008B02}758810208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.335{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7ADD-6352-B307-000000008B02}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.333{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.333{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.333{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.333{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.333{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7ADD-6352-B307-000000008B02}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.332{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7ADD-6352-B307-000000008B02}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.331{30B46F62-7ADD-6352-B307-000000008B02}7588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:29.132{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AA2B0C4AD92D5D2B43E9D95B7E8FB09,SHA256=C4BCE9F3616B957F075C8092DB1CAC5C7B166A8D06F3FE3EB6931F01EA659303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000235993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:30.647{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D356D1A2E12B37F928764B87C5566BB,SHA256=C8FBFC5675AFFC82E89923F66E3EB3029A0D847D3BEC3EFF4C2CE9639C92A7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:30.618{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B204F9E8967AA517378C7CF469BE4204,SHA256=2B121AF137B69C78A6A6C12B18CD2766F49C1D03E351615DD2FADC3DA3F477A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.672{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D02205B0097AAC4FC7656DD6558A2B95,SHA256=781B52B4985220597D8A6F38407A81786B3B16E3B3F52D4DCAE363D8D3D15548,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.989{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.979{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.968{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.961{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.948{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.925{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.876{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.870{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.861{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.855{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.846{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.836{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000235995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.827{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000235994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:31.729{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2371E429A9F3F9614D6D93B7C4BF1443,SHA256=7EA8614068815ACDDDF985CA34D626074FADC383B97E641F942E77B845A47E04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.604{30B46F62-7ADF-6352-B407-000000008B02}71249576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.388{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7ADF-6352-B407-000000008B02}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.388{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.388{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.388{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.388{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.388{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7ADF-6352-B407-000000008B02}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.388{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7ADF-6352-B407-000000008B02}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.389{30B46F62-7ADF-6352-B407-000000008B02}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:31.061{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0D47F55533C20BAA8A0E7069B0772D27,SHA256=ABA83BB358EDD96F7B3DA6DB3F821646A060062B41A8702E6D95C25CE3B35BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:32.842{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:32.726{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F021B7DE2DDB7F7A020F0CDEE9714709,SHA256=1B6693797727F04440FFFB1832E8B0B3D68AC93B01718E4856B292E46F142DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.978{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A2CF6EF1D8B0BF10A8BF879D2B2FAE,SHA256=77342784E356ED79433EDD43239FADF5DDADBB0C7C55F4011276D5D70A4A591E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.884{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.054{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.051{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.049{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.047{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.046{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.044{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.043{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.042{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.041{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.038{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.035{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.025{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.021{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.017{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.008{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000236008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.005{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000236026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:33.983{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A2B6042F80E0E6D04DE8A5365BB26C,SHA256=B08DEA6619D220C987253EE5A23C3FBC12F0AD788136EC5DD16D72CFE4FC1130,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.961{30B46F62-7AE1-6352-B507-000000008B02}75482420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000355264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.846{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28CC0F1DAC643ED7A358BFDCA86DAF6B,SHA256=CFFE5515C0AEBBBD26B0981FC0CA0E1B8D33B437820883B45F7F3BDA61C4B5A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.776{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.776{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.776{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.776{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.776{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.775{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.708{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.708{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.708{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.708{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.708{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.708{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.708{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.709{30B46F62-7AE1-6352-B507-000000008B02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000355285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.958{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AE2-6352-B707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.956{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.956{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.955{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.955{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.955{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7AE2-6352-B707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.955{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AE2-6352-B707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.954{30B46F62-7AE2-6352-B707-000000008B02}4760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.905{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5804F3821689E9848C306EA95E5BB8B3,SHA256=627C3F4295CF4E618443EB2425263954C3C1EA816799B95738560222471A9AAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:32.117{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52210-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000355276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.678{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12414C12EA3B0EA3B2B11186E7305D77,SHA256=41A8B662541E50DECB1F7B8FC61BE9F24636E293BCE084A7568219F1F67EF65C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.589{30B46F62-7AE2-6352-B607-000000008B02}87487552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.378{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7AE2-6352-B607-000000008B02}8748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.378{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.378{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.378{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.378{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.378{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7AE2-6352-B607-000000008B02}8748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.378{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7AE2-6352-B607-000000008B02}8748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:34.379{30B46F62-7AE2-6352-B607-000000008B02}8748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000355266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:32.447{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59825-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000355289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.676{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59827-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:35.939{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736417DDE9B24D073429DDB0F0A219FB,SHA256=871DA143B905E750A73FD0A643ECE6CEEBDF511B1D0F5F87574E07713CC969CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:33.423{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52211-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:35.070{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B81C8CE3A5EB623E47AB5B6A1C61777,SHA256=D829A7FB877C88B576042612AA97461800437829A3F95EFF428E1CC6BE37010D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.192{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59826-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000355286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:33.192{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59826-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000355290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:36.994{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE4E8674C2B7805E54F55096B217B05F,SHA256=428B10962D7ABF87A84E225A90694AAF856CBDCBDB52210F3240668756EC5E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:36.158{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543BB3E887F68F52DA06AE4732858E7F,SHA256=5F2B01B6943BCA0D5D5F2CF5F08642356774792C0E91B1EE7806B69DBF7C1C61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:37.238{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2A31EEE446B1C0638695A8A85DF4067,SHA256=669AA224F5D1227BB785E554A2637D2F77B0E314317C7C9E9DD7EA5083C93346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:38.332{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D41B8938A1D58ED22164C92AB469299,SHA256=94B0FE556AA6CB94D557AB4540E9EF5A2A326960DE1DF88F50C3099C7CA9DBAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:38.490{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-209MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:38.128{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C1E6613779EAD5C7E8AC0CB5B6E5D6,SHA256=302B40727147AF2D9C7BB83D4647A3F1291745B3D532AD2ECDF32FF1534BF190,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:37.884{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-54199-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000236033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:39.418{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F048CAB49AF22ACEB6CF43156FCEEC7,SHA256=26A0668ECDDB9CD8BBD0B29A75AF086B68186D57974871A8797C180981B4E265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:39.491{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-210MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:39.189{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611212951E1E422B3D3863F8BE1488FC,SHA256=8CB7CE53232E9713CECC6A39D64DAE64EBFE0F1BD6A73C0CC0F2C8E9C48343B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:40.509{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D011B9E18E9EFEAA1C682CDC659FA4,SHA256=D94D3463394082AD61215BF3D6E70305C8D15510EC7AC606D69D219D3157158D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:40.267{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B04339ECA655A4D64065B7A55F26B00,SHA256=AAA9ADFD2973B93613331E85E1B839D5F9E77A997DC1005699C6D95B19F21A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:41.336{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D89B4CBD9C23FB20C3D8A9E45DA06A6,SHA256=F9D5EB5F51FAF63B60F0FC75529CBBDD6A16D6489A28E586B4032E8042D4D642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:41.607{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4AAAEABD4B0C38140751DEAE55B902,SHA256=E896C72F8C868C11ED0438B856EB0793E48E99724570A655C1F9BE097091478C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:38.777{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:10d6:176f:f5ff:fef0win-host-ctus-attack-range-144546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000355296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:38.714{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59828-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:42.682{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CFB2745E2BAEC627720F745F5A31D4,SHA256=B9C17623BDBBE01C1241BC46A485928678F13220E76583C919B60CA75AFF3EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:42.371{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF56F33281A55080F7EE2FC02E2BBE7,SHA256=35C09217BBD690E764225946971E64785308B4F8989BC43201FDB5F1C5A720BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:42.353{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F695001B64BE9EA4458FC5D0E7F7B7DE,SHA256=5915DDE81FBEDA7922927A08263CAEBD8F558330922F773C9F2FA904CB81C7D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:39.340{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52212-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:43.766{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBFF987584F1A8612C90F02FE96A5C5D,SHA256=D1799B5F0763F7872E41B8F96D63EA1DA64E8ABF6176DCFCC3D17D7B7B220489,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.851{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.842{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.834{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.822{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.821{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.800{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.791{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.785{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.784{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.781{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.768{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.752{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.731{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.716{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.703{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.689{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.662{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.639{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.627{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.610{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.600{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.552{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.545{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.427{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64374BA7ABE526F01763B618094FCB46,SHA256=D99DD22C2C33F1D7BAB2B1087F6A5945C6342B01A6FDB2FD5515AF309060E7CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:44.846{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2DD385669DB6AE4B70C0B89C611ACD,SHA256=FD20963E45659671E0F735876196F743EF9B5A559C5A0C9591A8A3A9EFFEED78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:44.559{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F184C753CF475E072F8DC62F3C10F98,SHA256=025993F17DE406EC53B0D0FFFE124231C4FAA88A864EEE70F31B1ECA4A507E6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:44.327{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:44.323{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000236064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.918{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA556757CB417BD1B211E30E6E690021,SHA256=3273E99FD60E8D625B30CC5825EED23F28C2D8E21A5594E57023645CE908A4A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.864{EFF5EEA8-7AED-6352-7C06-000000008C02}10923476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000355326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:45.605{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6AFDEFB812D0C54AA6C665C252D81C,SHA256=83998CFD3139CE19082B9021470DA28B2CD205E0DC6802E186CD42D782D993D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.834{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.834{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.834{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000236056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.685{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.686{EFF5EEA8-7AED-6352-7C06-000000008C02}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:45.016{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7F8E1B2976136AC412B22D4B10B13438,SHA256=92889E61900DE97FB11ED53AB2E8BA22AE75B74E75365175ADDA16169CCC1143,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:44.484{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52213-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.900{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D16765A14C17199B4EB618ADCDFF0E3,SHA256=5151A1CEF4CCF91A98B901254A8EE9E9260ED2680A12DF59A5E38616C2CC71DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.492{EFF5EEA8-7AEE-6352-7D06-000000008C02}31203616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AEE-6352-7D06-000000008C02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7AEE-6352-7D06-000000008C02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.352{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AEE-6352-7D06-000000008C02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:46.353{EFF5EEA8-7AEE-6352-7D06-000000008C02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000355356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.997{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.991{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.986{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.985{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.983{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.978{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.975{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.973{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.962{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.925{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.919{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.917{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.914{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.896{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.887{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.866{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.861{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.854{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.849{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.847{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.845{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.843{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.842{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.840{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.839{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.649{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB3830A437A1BBFA90DD2A511A17A6E,SHA256=AE510B28CCF1E86D438BD0FD5E110A42D827E7C7EE8F0547B10449F50617D24A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.337{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.336{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:46.334{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 354300x8000000000000000355327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:43.737{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59829-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000236107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.914{EFF5EEA8-7AEF-6352-7F06-000000008C02}8001020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000355392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.709{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0888C4E970444365F1000EA55F3FA3CB,SHA256=C491A5275167D84C8E7EFF8D68132FAA422D1E25668825B2B80235070E0F9150,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AEF-6352-7F06-000000008C02}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7AEF-6352-7F06-000000008C02}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AEF-6352-7F06-000000008C02}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.711{EFF5EEA8-7AEF-6352-7F06-000000008C02}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000236093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AEF-6352-7E06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-7AEF-6352-7E06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.027{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AEF-6352-7E06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:47.028{EFF5EEA8-7AEF-6352-7E06-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.206{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57440FC6E8B5AE594F300C0B45B846CE,SHA256=3A05B66E2FCD1EA0D25CD1127ECAF8E55364A5055A8F21BEA452428E781505FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.121{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.119{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.116{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.114{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.111{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.109{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.106{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.103{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.101{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.097{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.095{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.092{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.090{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.088{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.085{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.083{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.080{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.077{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.074{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.071{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.066{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.062{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.054{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.050{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.044{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.041{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.040{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.036{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.035{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.033{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.027{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.026{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.025{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:47.025{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000236123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.971{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2EAE5C565CC98C57289FD5A1B31902,SHA256=877496E1B84EA9E3C3815171EE55CD3F4B87C3FC43DE01D434143D25B625161B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:48.769{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3992A8FE06400F4173FE99034C35289,SHA256=9816191BB86CB5739670679E86B98A27B322930242F60716470E6989A3433DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.455{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4811DCEDB3B4652BD2AE8B1B600F2439,SHA256=D3E4B039517C06A74884AD828F041239BE3134E75B26E5C1D5F1DDBE600EA6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.455{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F798FCD15196E17395A47AC91DEFEF,SHA256=08EEBF1DB8E88F547268400125EA7F59DF4EAAB3E840474ED98D13C8E3BA2529,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AF0-6352-8006-000000008C02}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7AF0-6352-8006-000000008C02}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.377{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AF0-6352-8006-000000008C02}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:48.378{EFF5EEA8-7AF0-6352-8006-000000008C02}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:49.813{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61EA00DDAB1C0FA73C886E83DD6C56BA,SHA256=31146E402F862F5A0B10AC9AB8363E2FE4CB825984F062B292A74BD13EC1735D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AF1-6352-8206-000000008C02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7AF1-6352-8206-000000008C02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.611{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AF1-6352-8206-000000008C02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.612{EFF5EEA8-7AF1-6352-8206-000000008C02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.564{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D202145C7D3952C297BB53613B7002E2,SHA256=C8C9F75FB40D66EF61359F16F35A5CE5A73286E50A0EAB0C34CAD7CAE4D1C759,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.271{EFF5EEA8-7AF1-6352-8106-000000008C02}656496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.054{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7AF1-6352-8106-000000008C02}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.052{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.052{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.052{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.052{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.052{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.052{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.052{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.052{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.045{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.045{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7AF1-6352-8106-000000008C02}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.045{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7AF1-6352-8106-000000008C02}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:49.044{EFF5EEA8-7AF1-6352-8106-000000008C02}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:50.858{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=673DAD38600E58B7D3D138F1BAF31DBB,SHA256=65C819821D462F01440ECC12C0C8632A7E4A2671EFFFE882701380E42B3FEC97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:50.242{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316F2CD4CD82003764CA46635C7356FE,SHA256=EF08D0692738D64973B8F6C90AE09B6C5BA1EE985B3570E749F56EEAA31DD0E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:51.897{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E307E93315FF92F13F108E245AB723EC,SHA256=94DD43A8668CE23FEA98F4BE807A16259FFC5FA2080BC97CF879740F7CF97188,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.977{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.974{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.972{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.969{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.968{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.965{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.964{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.963{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.960{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.957{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.954{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.944{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.941{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.940{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.930{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.917{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.902{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.895{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.887{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.877{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.854{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.848{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.840{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.832{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.825{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.817{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000236154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.815{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000236153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:51.461{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF8B39AA2D6FE0E3B4D1280E9D5E9570,SHA256=38C78BF26BB1B75860BE5661E3C4C690845481B9F493913A9F1A07AB5E5324A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:48.738{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59830-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:52.934{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4F6E4C9D0108F30A83D1AD6A5C2FDD,SHA256=66E08ABFD291A29EADD02DEDFBFE2C9982E817BA7862F82CAA1C83A3CE505B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:52.612{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8596CD7982256A60A2523A7CDC3FE943,SHA256=F81882BCB42E062DE13E40E2B0CEFD646AD9F4FE7BA99C9D835973C1C55AA538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:53.977{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8323AFF5CC15269A6C1D7B060641E5,SHA256=D57BBD8BCED184ECDDBD434624D85497473026417EB4C96D21F79417C91AC617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:53.726{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C3ECDE39A4F6925CF3A80934D864C6,SHA256=AA63D0DA1151382B2D6F9C4CF5049FF50E95F9F7301E9975E1F21943E6E5CA75,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:50.385{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52214-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:54.811{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0F2EA5D29B24B331B0F72904A51DCA,SHA256=337D4937FF8392142C143C589F203CC94BA9BFFB8911B9B842313463C4B6BCE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.850{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485A-6352-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000355401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.748{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.748{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000236187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:55.892{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5143F039856E47D000B43C40AA80B3,SHA256=B7D00F5D529B65DE2F2DA8139C68FB812DA397E92E4E4FFBC40B067476A2BA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:55.804{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BBFC7C2C29F2011274ED0CE402E5745,SHA256=D038EFE7D44BBCCB5C61220BE6F7344D7948C0DCFB2359777313F6B6FC40604F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:55.065{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F125FFDD344C357DA4FAD93F3625D49C,SHA256=D074C374CBC1A8B0351EE1A66917710E67B74D8B0F2747F4DDEAAABD9AA6F1C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:56.983{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A38DB2CC6AE06130DB28E663E3D315B,SHA256=AC5BC58C24BE7105AF9B68176E0F18A9901E9C90ECA738E15A3ED71411AB1741,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.676{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59834-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000355411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.479{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59833-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000355410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.479{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59833-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000355409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.386{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59832-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000355408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.386{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59832-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000355407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.378{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59831-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000355406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:54.378{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59831-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000355405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:56.124{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F40E9C09A8838E0B201256A3BA44136,SHA256=C79CB1F5154C50261EA6B431E05317D3D01A6FCCFD9C37BEFE75A558F7C7817D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:57.188{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63414863B3C9E618BA4D89375DE6743,SHA256=2B5CA0F2AA329EFD6C733D73584DF6AACFF22EF9E1B939BEFE6BDAF15CDB1229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:58.260{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=709CC6EF1AED1BEF2055EB0E6ADDF73A,SHA256=3DB50AC25997E95CF54C59CF85E68D69FFBD0155143CB9256D0602A534F795DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:58.074{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381DAE5575BDD79A95B528880F5C2A84,SHA256=18A7E46C12AAD271F48B3FAC3B23ED412CD672FF7054FC307979B1CFE90837CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:56:59.336{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D917F004B945DE5DB93486A9943D41F,SHA256=709CF353318CA4EBB4706178301F14608606A0419926CB153C16DDCED123882A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:56.293{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52215-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:56:59.166{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596A1DFF6D948CC7483A94855B6A94D5,SHA256=BD2E70B1B23FCBB5E3F8D58CBE47BEA8345D8E16C25F0235C04978418E0321AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:00.380{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D9C4C4E3277095ED085891FF32F8651,SHA256=97968B5CAC3168BA6B98C2C33E5881215FE8A9BB6B1242716BF43425728FB801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:00.250{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F956E2C346BFE0F42452A39D9810DF6D,SHA256=C3E41909A02BAE919581B3ADBD92A38D2AB0897D30DFC70E73A4CE63A4CB7B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:01.441{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7C79FA5D48181FA8CCA0140A208D6A,SHA256=9C1554503C96C5DA7302C89DDA2B45E9025335FD4F01B6D46DF47744C79F8D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:01.327{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E078CE352AC5FC01F63DCD92AFE095A,SHA256=1501DB3E7229F2A1B19DF3627BAC07813114D2D170D57DB0429A84E4D798014F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:01.140{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0E22C7316B3A72BCF8BDE8EEB8B7D657,SHA256=34E7FBF7C7AC9A2F0A431328060F9CC200D88A41C2303DB52954286E3C826B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:02.485{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB58A072450806293CBA112FDDF57EA2,SHA256=A66C8B84EAB55BB498A15E0B09E8AA867437B9FD78882D3D563431AC1048AE23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:02.415{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE262DBEB3C98AB6BA1C9147EBEA60F0,SHA256=B97198BAE6DDDF9E0DB4CA739A1C723008DB94CB6FDEA81D7DEFD2C6978A9C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.964{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B18C1651F0B522C150A40334F7EAB35E,SHA256=B1612973BA632F28D2EEE18D92B3BBDC33746C0A27D6E4CEA8F68CC6F9F26C11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.793{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.788{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.784{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.777{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.776{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.759{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.753{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.751{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.749{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.747{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.742{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.737{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.726{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.717{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.706{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.698{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.665{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.654{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.646{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.636{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.627{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.563{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.560{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:03.547{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A176F3242F52338961910262E5B36D66,SHA256=A035BC15256B250EA9EB5B196E2F447907484B81139A2CC5E658147B6CE1DEA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:03.503{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D238937ED6E10E4927D3C9AC2FE0E67D,SHA256=7D448A0132E4B8FC5D0A8BB7D2824E8EB214438259425E5301CA63EC30E1466C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:00.647{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59835-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:04.596{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984952D0D4C3E63F65D5DDE9E2618A90,SHA256=CD4E2008B979C9F21E331164DCA06104B247766A6859B18B4845C9AD6FD78DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:04.588{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF35136D53FBC50DDFE3826FFACEF92,SHA256=3E21F0356E625EEC269F686261CDC849ECD3EED368A39C0376B48D510DB79870,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:04.221{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:04.219{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 354300x8000000000000000236196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:01.497{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52216-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:05.906{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F65AFA02523957873E35BE0A28D90CDD,SHA256=DEF3D2AD92C95F668C3E809F7FCC35D7C2B119E3D5B892B781C55E226DAC3A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:05.687{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E2C4BD6D564995FCA30B056C40CEB3,SHA256=02DBC0996FA08189C7AD5954C9FC98CC6C59D2A5135907DA88958CE8F48E5404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:05.674{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86DA57D142EBE00D8549AE855523B59B,SHA256=F2E3F064B1ACDB19FEFD9D2AA5FF93AE35B76FA1A66A675B45178DCE28BA6972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:06.769{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2735567076D205308A8B03449A4D4E4,SHA256=C3810D21498DFD8A0FA04FD6EC0B0717725E397E229B6BCC15636172BF3B03AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.988{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.983{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.979{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.978{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.976{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.973{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.969{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.963{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.948{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.879{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.871{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.869{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.867{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.848{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.839{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.816{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.809{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.802{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.792{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.790{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.787{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.784{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.783{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.780{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B8BDD82EEB7765E7A932D9C27B69EE,SHA256=ABA5189B121E6D16BD84B8F01EE72568230D156C52A705A0C6691C1626AD1929,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.779{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.779{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.677{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33FA3E5716AAD15FCEB449E7C406EEEB,SHA256=A467E45C60F7C33FBF7541D05156BE35560854D5984B56517C36E4F1B1EE1A69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.254{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.253{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:06.250{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.709{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1FB86F1197F2FF501C7D17D7E0EA16,SHA256=FB1BEBB7E13D9DD69064706D352C5A1CBD79A0CD44682C1BB0A2B30DB11F17D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:07.857{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2639CC597627D3FBC20CA4BF34ACA2,SHA256=E1824D8F00FD0683659226B09073A735A6259E55286B05D08E475CD7D84D17CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.327{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE01B9AF8BD86DEC7D972C464103BAE7,SHA256=5856930FF58765986D3813CED9D985585A55FEC53BC6BB8D8D82CAB861E4DC0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.124{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.122{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.115{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.114{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.111{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.108{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.102{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.101{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.099{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.094{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.092{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.090{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.088{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.086{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.083{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.079{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.077{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.074{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.072{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.069{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.062{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.058{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.054{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.049{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.044{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.039{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.038{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.035{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.034{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.031{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.023{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.021{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.020{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:07.018{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:08.811{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0944CFE5792C92025B19CAE780BA2479,SHA256=E5319C0BC7CC17FBC27AC7F0925B8155494D00640CA5FEF43A3E2F4B5CC30501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:08.938{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9013A1DD20264842F68AA9B3DD843CA,SHA256=2086FA541C950F8CF9C200794B66C8B034F0B8025028448C9B7DD31E1BD195B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:05.788{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59836-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:09.858{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1BC3C0B0B8F2EB24AB0FD6048F16C9,SHA256=3E49D5E56FA7479CB9F2FE2668C8EBAB67271127D37E1DA1805650082AE9F4EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:07.402{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52217-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:10.902{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C2246E5EDE18043626758587D8A043,SHA256=0B29C77954BC91591EF9D3303485FFA1D0F71A099A11D345A182219D8865136B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:10.030{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6CD8160FB6CB853E59F739853E0CD2,SHA256=659409231361A18866050E361160D7EABE2A9B085574CE8C65F5193BE0CDDFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:11.970{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBECD8807834A572DC82AD6CBE5C6A4,SHA256=43621DE2A2380325A84D71CFC043425D818BF7FBA67B00C5E0CA41A9D9E13A0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.996{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.984{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.974{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.966{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.959{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.951{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.938{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.896{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.882{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.873{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.859{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.843{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.836{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.832{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 23542300x8000000000000000236205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:11.112{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13479B9369A2D965B7B8316892CF3CEA,SHA256=93F87D4029CC14105F70FD5782CF867F80905856FA4F926430A89E949A5935ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.360{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693C07C63393395F14DC6C79F08E6D63,SHA256=D515AEFC6DB56ABA1753B4070E8E5156C2EA11C098B54B90B339C9F828D48D30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.100{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.093{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.089{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.081{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.080{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.074{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.073{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.071{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.066{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.056{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.049{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.032{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.026{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.023{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.008{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 23542300x8000000000000000236236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:13.471{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3750341AB2163C9D3860C82EE9035C,SHA256=ED6056E71CB2CEEB4900B02F0303176C0DFBF4B524E349F6792747AFB68D7B34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:11.760{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59837-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:13.119{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=818FA1D9130F3B37E67DEC6A3FD32841,SHA256=5F8C8FD4B1FC8FF7878151B9E557ACDB5304C596D1BF28EF30C94E4D0C589390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:14.555{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87B4C8A317885DDF743B88346FFD559,SHA256=E40FA845421EB4DCCBD2E875CB5D8F34703D5E1E9D0185CBC14482709D25D2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:14.164{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BFB09CAD3C56A8BD33BA081FFB32CF,SHA256=B08F8639089E58246C2A29D2C12524510CABF314812954CEC2A892BE4F695B9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:14.418{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000236241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:15.651{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3AF95268B4AC8233051A86B951EE718,SHA256=03E4DD013F12147BCE2AB402EFD231F6CBAB98274860BB8CDF05D02185F7BE9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:12.516{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52218-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:15.208{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A35B7DDAE003A498FFF22ECC37F00FA,SHA256=1D97881196B1E158A14743F29AC0EB553FC01CCFEB1E695EEF1A064296ACE844,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:15.417{EFF5EEA8-485F-6352-0D00-000000008C02}7881196C:\Windows\system32\svchost.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000236242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:16.736{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8769798E35540574E5F670C70173588,SHA256=9A21B3590753A504FD74384CEA38990D06073A93269BD95FBD8EFBE747EF619C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:16.244{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B220EE5BB9736851A68FAC19A7B44F1C,SHA256=935D4CCBC45E0B9B55AB482FD170FA1846E3EEB38E72D7012F5AADAC0098CBC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:17.831{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74B064C44B5D9590FB20BA21B0F55EC,SHA256=407DB2271F7C001A08325312DE06391B3C9D84E7F7CD0611ECDCF87C594C604C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:17.308{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D62EA8DB09BAB3952F46C845D2B11E,SHA256=D167E73F4DDA9F8A4B4D42EDCF94FF00DE366B522179FB64AB535AC06D602C31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:18.925{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA918C348678BA2BC16EABBBE88E846,SHA256=2D0DD76AEDA3A2307E10B6AFD3F000276B615E8BE628579B310E7FB7159A948E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:18.431{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466E33944DCB6AF7C8475AB21B17D2AD,SHA256=CA2ABAA21161A1EA3890FA33C35276E92D6EE63479085FB974DB6AAE8278BACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:19.576{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73392AA0AEB2229801E80DF9A6A526E7,SHA256=B24E18C7B1D41D47339BE42C2E8C9E3BCC822FC0CFA502ADDD415A32FCCD5FCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:17.758{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59838-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:19.723{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=80035C2609156574AF4F665AC9818C6B,SHA256=A0800162919A498A07E0B2248C4FD8A655E4CA183E1271D442D5614EADFB3B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:20.520{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539875E0701741E38E26B08F2C9C7CFD,SHA256=81451CF44305E59E7D623EA086FA1F93D724615E9B4D250C0FA5D4A4A2ADCB29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:18.438{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52219-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:20.004{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3195E5CC6665D164095FEECD6FE224,SHA256=A692FDF278209F9CB2B880ED73A68D4D1614CF79F7B7663CF88CC177B0F593E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:21.564{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1357162AA1D8A34490C19507CC91745F,SHA256=ED3B6B63745A530CCD4C134A04F7B5243D6BE170B8E3F1EE86F39AC6D1055E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:21.110{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB5191892983046AE677B5276981B17,SHA256=75FAFE60DE13CAAF4838C9BB587D2F7AA899F2FB688E511F7C9A47201AFEF354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:22.640{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE2FAE09E94116E76CF5573AE73E12D,SHA256=FD5AB8B58A4A26888BD7B8EED46CA4C5599B56E186E59EDDB58F492E538FC54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:22.194{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCAD0FD6EE224E22A2ED39E27273B4B,SHA256=F7A661D86B877ABB4459F19F37491AC42AD13C1DBD545285EA205C958F3E9D84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.880{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.877{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.875{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.869{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.866{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.859{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.852{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.848{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.844{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.842{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.831{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.818{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.808{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.799{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.788{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.767{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.717{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.701{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000355538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.689{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068344AF177D04BBA4D9FBF996ED5449,SHA256=5DE1EA34DEAC74F762A114E2A3EDB964C5BAC67B775F5533BABA93ACE593012E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.688{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.669{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.643{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000236250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:23.275{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=053690D1AAB157B27448E72C00F2F3E4,SHA256=20204051566284442F255C5561F8BF2B2A69287A93962AC238E04A65ACC8DDE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.567{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.563{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000355559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:24.712{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26A530B8244458159B0E60642083981,SHA256=9A31486D33A294BF6F3D7649F98CC064456DAAC1EAC2AEEF55AD6E5A897926C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:24.367{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4368AE537C4C963F46BF34B85D7AD5E6,SHA256=18270A5BBCD3BEC3B28C3FE1E4EF90CA04C10E0BC99D204A9B5F495BA5B52B64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:24.327{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:24.324{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000355561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:25.789{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440E0D2F2FF561FEBB5EDC23F1E25EF5,SHA256=417896FDF96933A76A50AFC42248CDC3B9EDA4A09EACA0FCD436FF5B75599330,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:23.729{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59839-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:25.450{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8FB1AB008297E2BDF9AA3CBC6D963D,SHA256=A285BCD5B1E2F741D311B395D26540209535B8EB03C05D9832CFC9F92512F473,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:23.447{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52220-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:26.527{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159C3FA3A05AE4BFA4482DF87C2831AA,SHA256=B214AAC2D293FBFA2241DF34EC6F59B20BAB30A805FC67F71C40F2AC3CCAE767,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.967{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.959{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.957{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.955{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.938{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.927{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.896{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.889{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.879{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.875{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.874{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.872{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.869{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.869{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.866{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.866{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000355569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.816{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AEDA311B2C9538266CF7D5B17EDFE9,SHA256=18AC1FC27CD9ACEF8695BDF2AB53CDF84F7796C5E7F864830F998AAAED2E2B88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.358{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.357{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.355{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.042{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.042{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.042{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:26.024{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000355630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.870{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9DDBA5C9B3614ACEA8DC9F6060FB396,SHA256=EF1CCF71735C50D4B2BA414002A0BC5B8C0BC1CDA51456F2DDAD632CA906CBF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:27.618{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94C85EB6EA7C05FB585A5BE049F0C37,SHA256=CCE503C62C22639C22D1952C4DEAA8A123E341E23515B8905234ADF66B42A48C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.447{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD358DDF77683298F484A80C8140D15,SHA256=11055B11B9DF91706C1AE5865934401D319F5CE15EF431FBBF67C62963E33D6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.145{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.143{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.141{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.138{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.135{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.133{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.130{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.128{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.126{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.123{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.121{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.118{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.116{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.112{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.104{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.101{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.099{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.096{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.094{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.092{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.089{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.084{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.081{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.078{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.074{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.071{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.070{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.068{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.067{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.066{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.062{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.062{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.061{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.061{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.041{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.037{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.033{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.032{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.031{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.029{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.026{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.020{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000355586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:27.011{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000355648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.977{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E080C00A3C9EAEEDF218E7C076D72625,SHA256=C1722EB6356BEDF9953C76AE29D387AC38DFCA40352FFD5FA0DF683E1A9D035D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:28.704{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007A69DF89618DB64F70ED2187653EC2,SHA256=63329AD1C2724A535DD5666C7EC1F91C85FC5568A05F16BBBBF3444146D06E71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.694{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B18-6352-B907-000000008B02}10232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.694{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.694{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.694{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.694{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.694{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7B18-6352-B907-000000008B02}10232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.694{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B18-6352-B907-000000008B02}10232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.695{30B46F62-7B18-6352-B907-000000008B02}10232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.503{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0C070BE9C97BE2C8B5BC48C26E4371AB,SHA256=C1E0672439D8D5CF751F0EF85E790FBAA1C57477DDFE757B1D6FFEEBEC04448B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.048{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B18-6352-B807-000000008B02}8820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.048{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.048{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.048{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.048{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.048{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7B18-6352-B807-000000008B02}8820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.048{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B18-6352-B807-000000008B02}8820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.049{30B46F62-7B18-6352-B807-000000008B02}8820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:28.243{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-210MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:29.798{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB19DE54182ADBC0B1FA68B970C21B76,SHA256=60058EB5B1C68C5B11967408CF4A58C53A283E3ADAF87FBC258D58F350E5D297,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.379{30B46F62-7B19-6352-BA07-000000008B02}89449908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.194{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B19-6352-BA07-000000008B02}8944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.194{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.194{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.194{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.194{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.194{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-7B19-6352-BA07-000000008B02}8944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.194{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B19-6352-BA07-000000008B02}8944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.195{30B46F62-7B19-6352-BA07-000000008B02}8944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:29.094{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=614450BD23164A051C226C00AC70E765,SHA256=75F710E708571C5632ADE7368BF18D4BF6FC5438688924723F81991E56BC5797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:29.251{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-211MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:30.874{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A80C22EC77F4AD823F8ECEC4CB8512,SHA256=42C9C6F6A878BAF128610909BE3A850A8FE0A624CBF372BCBB9156CA2659F22C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:28.822{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59840-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:30.073{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E165A4AC951067A7864747558BB2AB5E,SHA256=3B055ABBFEBEC5FDCEE114916F3AAAB828AD50D9B3C002968749CCD4DB447EB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.998{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.995{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.988{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.987{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.986{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.985{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.982{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.979{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.969{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.967{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.965{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.959{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.957{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.944{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 23542300x8000000000000000236274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.943{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68B15887601D8FE420C9C818364AD40,SHA256=879913A082C8B46F9676DDA8CC2CD586623FFCAF1CAC92F1EFAD99AD805D48C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:29.406{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52221-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000236272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.938{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.931{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.923{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.916{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.903{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000355677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.607{30B46F62-7B1B-6352-BB07-000000008B02}98087628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.455{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.455{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.455{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.454{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.454{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.454{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000355670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.398{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.398{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.398{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.398{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.398{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.398{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.398{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.398{30B46F62-7B1B-6352-BB07-000000008B02}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.223{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CF83D17205E1B06001EEC500B2D807AF,SHA256=DD0D4BD38CC05E21206ECFA876F898693E989C864E4E6273518C770EDA566A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:31.154{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3019A15FE9740C50A108022CB16E822,SHA256=B43BEE25672220471A099A7D4383B2CD586D825D55D050D143A18C3A19DFCF4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.868{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.863{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.855{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.848{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.841{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.834{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:31.831{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 23542300x8000000000000000355684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.884{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000355683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:57:32.611{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E8A68842-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E8A68842-0000-0000-0000-100000000000.XML 13241300x8000000000000000355682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:57:32.611{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B51772D5-9883-4A2C-91E7-2B1355A0ACC3\Config SourceDWORD (0x00000001) 13241300x8000000000000000355681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 10:57:32.611{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B51772D5-9883-4A2C-91E7-2B1355A0ACC3\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B51772D5-9883-4A2C-91E7-2B1355A0ACC3.XML 10341000x8000000000000000355680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.602{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.602{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000355678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.242{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1956768650DCD72B4819C282D9A756,SHA256=092F5158EB6460640140A3511982FBEBD97437653509247CBC9CB56873F92D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:32.908{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:32.017{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:32.010{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 10341000x8000000000000000236289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:32.005{EFF5EEA8-4860-6352-1F00-000000008C02}1200704C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C310A90) 354300x8000000000000000355701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.249{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local49802- 354300x8000000000000000355700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.247{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local55667-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x8000000000000000355699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.246{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local58400-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domain 354300x8000000000000000355698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.231{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59841-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local135epmap 354300x8000000000000000355697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.231{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local59841-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local135epmap 10341000x8000000000000000355696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.644{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B1D-6352-BC07-000000008B02}7444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.644{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.644{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.644{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.644{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.644{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7B1D-6352-BC07-000000008B02}7444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.644{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B1D-6352-BC07-000000008B02}7444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.645{30B46F62-7B1D-6352-BC07-000000008B02}7444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000355688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.446{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.443{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.443{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000355685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.343{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413E628B7A1D48207177D84BABD6C504,SHA256=68568DD7B7ABCF19183340CCCD2DA6D1A4CCBDEED89F5EAC96EE8F7398271410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:33.033{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A7735847F3021C72226005AA435F81,SHA256=1AB580D6A2DA0920F4A4A9989BE01D51176CE9405A46B1D7ECB800FD1460193F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.067{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59843-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000355728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.067{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59843-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 10341000x8000000000000000355727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.764{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B1E-6352-BE07-000000008B02}10104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.764{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.764{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.764{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.764{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.764{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-7B1E-6352-BE07-000000008B02}10104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.764{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B1E-6352-BE07-000000008B02}10104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.768{30B46F62-7B1E-6352-BE07-000000008B02}10104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.764{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75AB44B7ED7B2ED1CE02D711BE660535,SHA256=9BB962E8A122344B235AE1CCC4A827131B041E2859094BE7ED7063E2314EEE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.764{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B83E50FE623D31D4B8974C7A022BAEA,SHA256=08A5B1E8D6E5AB9F152ED6CACE6061F1124A1FAC32B136DA6E20C6E4CB859693,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.478{30B46F62-7B1E-6352-BD07-000000008B02}95929676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.449{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.448{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000236294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:34.119{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167E673FAEB5AEFC07EAE6A75E9B70C8,SHA256=7BD933938475FCA05CC5D14D08B6EBBF1BBA628B46557094457160AE5C45A9E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.289{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.289{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.289{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.263{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B1E-6352-BD07-000000008B02}9592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.263{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.263{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.263{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.263{30B46F62-485E-6352-0C00-000000008B02}8329332C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.263{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7B1E-6352-BD07-000000008B02}9592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000355705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.263{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B1E-6352-BD07-000000008B02}9592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000355704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.264{30B46F62-7B1E-6352-BD07-000000008B02}9592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000355703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.032{30B46F62-7B1D-6352-BC07-000000008B02}74447208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000355702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:32.481{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59842-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000355734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.916{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59845-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000355733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.916{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59845-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000355732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.230{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59844-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000355731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:33.230{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59844-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000355730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:35.526{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D8FFE86277067D95C9AB696ADCCAF2,SHA256=3F1107705A5C3E5AE5C30FFBA7F07ADE110785EF8486C650F78D407B6D4D901D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:35.196{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DEB3B5DC6F28DA3B095EBFFA53C831,SHA256=4EFD64527E8B7A81166365878233102B0910A500D1A5EB7D6A24CB7C37257F86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:32.140{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52222-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000355736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:36.667{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524AFB1DCB12E91ABF9B1BEC7A19B6DA,SHA256=AC2B92B70931E8F44B3C9129B8BEB57331C1B556F600E7AA39683C8515497606,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:34.792{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59846-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:36.281{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AD1098E06C7037B4B2398727AE8A82,SHA256=6988F065C55A97F942B68F20EEA181F2EC58396D591589047C44B2EAF393E4A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:32.622{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-58090-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000355737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:37.668{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2166C27921F3261DFF649093524D1690,SHA256=2BBA45057D7E3E0CFECF5F6CF5BB9B2C228026B2EF746D7890AE9253B3A07D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:37.387{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=264665F12EC8AF933B6C88E4E638ACE2,SHA256=593869301F631D503A842BBF32E2FB121A2F945DBB27AD3AA3D576ADA3D56D1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:38.713{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4B1F1D233A1DA1A06F4F53837354E65,SHA256=479B20DCCE9A4CF88914659AC7644A6E67EF2B13C7457FED3E7C0780DC21EEB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:38.479{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C65C516D1459A4A9F292D3E67545BF,SHA256=A0F6A519879C0E59785AB75C3D5DA41CC615704CD62F5710DA0B92584705B7F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:38.795{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6B0E0BAF5A6A50766BF5E3666D1D85,SHA256=1D904F0BD905EE189A038343A71BB7C4D325A15E359A483D3C3D6740B47C8C40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:35.346{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52223-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:39.563{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D229D69954A4B383FEAA1D5ED92C459A,SHA256=5EA115E9C39656C5A1D4E922B0F11B1288A9698D750CE2E24C477C52BDFE130D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:39.897{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2F35052F5BB0DD4546CD2272459D01,SHA256=6E216567219E1C31EA5341ABF8691D827D8E58AA64CC24A7429A85A109CE77CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:40.948{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707E326D0C64F527B629B6E1E700DE4E,SHA256=303890D1B38EF9A63F573DC36A39044BCFAF540432D58668FE5B42280363742E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:40.661{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D64B7B645B226073B5AF9623122F3F,SHA256=726E854DE29C892FD16DCCD235ABCC10102AF0554C2761ED10675F1A3BF5BDDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:40.003{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-210MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:41.736{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B24DBD56C86757E440B9D3813D3C861,SHA256=5BE86DECD4C77FA6F786114F58A1004FCE68B2496EA08EB86EE7F81BF4A2792E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:39.856{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59847-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:41.017{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-211MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:42.813{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6788195D266BB01F226FB92F14DEFFD,SHA256=5E50C0CFF39D1E89622414FD3EC9CFA742B29A3FFEE84027DDFE0EBBE13B9275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:42.074{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA5137C84999A782694A8F9368F17F8,SHA256=E03AA6ADEC55C6000779525A964369F12AAF920F8315A110E5B225752F58473E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:43.911{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED8D01475023BE984E29DB91AFB6A48,SHA256=739C7C2BBC2D1268621B7939B4969D3DC0BBE041FFEA591295692FE48791AA48,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:41.324{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52224-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000355768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.855{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.851{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.846{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.836{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.834{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.826{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.814{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.807{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.805{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.798{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.784{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.767{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.742{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.728{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.718{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.708{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.667{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.643{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.634{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.603{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.589{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.551{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.548{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:43.116{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC52AC065EF4A3057DE2D1B2944A626,SHA256=98398EB2FC84605F8F4F0F198BA8CA75DEF757F053B94A26D15A8224F33D41CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:44.277{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:44.274{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:44.162{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4207504969912CEAE4C0689254715900,SHA256=93A746170F5F81763DC526E589859C51FDAFAC7B9933E580F08F1C06DB9FE262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:45.217{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1888DD1814750A4DE907445372808704,SHA256=802C6C76EE8C7AA87587C62FF471540C09FEFB093F97A6BC619E04CB218F7CF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.724{EFF5EEA8-7B29-6352-8306-000000008C02}3403440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B29-6352-8306-000000008C02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7B29-6352-8306-000000008C02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.536{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B29-6352-8306-000000008C02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.537{EFF5EEA8-7B29-6352-8306-000000008C02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.103{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197F0013241C4A15D1FBA461A05B36F5,SHA256=035CFF9F5E79CEBD503C800A8CFA57280399F13455ED4DB2FBA8A7EB59E54E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:45.088{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5E64A894699A73C8EED28843002CCF06,SHA256=9C9AA552606CFE92DE31DBFA7BA6917C765BA6C6E0D2AFCC5FA7D7EB8A179B42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.999{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.997{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.995{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.992{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.989{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.979{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.934{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.927{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.926{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.923{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.899{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.887{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.867{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.861{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.852{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.847{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.845{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.842{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.838{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.837{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.835{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.834{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.320{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.319{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.319{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B771332A57C161CF70279B719377B3,SHA256=26939C30624214FDA96E5235BB09CFBAE065E3471EA18B6BA29158C42B125D6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.318{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000236353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B2A-6352-8506-000000008C02}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7B2A-6352-8506-000000008C02}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B2A-6352-8506-000000008C02}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.823{EFF5EEA8-7B2A-6352-8506-000000008C02}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.666{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DD367389D6356824E378E28427D5395,SHA256=9EA4DBF4E63B66D2968DF9E26283FAB807B8067F621CE88C69EF61EA132FEAF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.354{EFF5EEA8-7B2A-6352-8406-000000008C02}27402436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000236338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.185{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D81CDEE83C23C44BB5F071A8DC6A62,SHA256=A318B47631376860393B2B1AF0F599BDF7C51F65D1F80531B5030BDBBA01B230,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B2A-6352-8406-000000008C02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7B2A-6352-8406-000000008C02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.153{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B2A-6352-8406-000000008C02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:46.154{EFF5EEA8-7B2A-6352-8406-000000008C02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:46.060{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\aborted-session-pingMD5=C9993DEE0297F82517BDF9C27029D86C,SHA256=B2A8290D2835C2E38795F659CACEA2517575114E2B0593D77C2E9C7BB1D539FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:45.662{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59848-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.564{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7297CDE09C8484897BD39DD0E3BE4B12,SHA256=7F4341C9DD80407A372FF8BBEA033C093030FB39F4293DE0CAD8B439FA9B8A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.560{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B93C10218BA30BB14B6A87106E60CC,SHA256=C7E94F0A4E3C37375A13262D6B12855487A1F06AD0E7F0C12D455A63561B14E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B2B-6352-8606-000000008C02}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7B2B-6352-8606-000000008C02}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B2B-6352-8606-000000008C02}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.442{EFF5EEA8-7B2B-6352-8606-000000008C02}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.439{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D471784DF0E7C7059ACD42BBAB9BB9,SHA256=859F02F2317558A4CEE3C1BCA29D1C81A8577BD817E46F341F8944EB6BAEC7DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.118{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.115{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.113{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.111{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.109{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.107{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.101{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.097{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.095{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.091{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.089{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.086{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.083{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.081{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.078{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.076{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.074{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.071{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.069{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.067{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.063{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.060{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.057{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.055{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.051{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.048{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.047{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.045{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.044{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.043{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.039{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.038{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.036{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.036{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.029{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.029{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.029{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.029{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.029{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.029{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.029{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.028{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.027{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000355802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.010{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.007{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000355800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:47.000{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000355874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:48.609{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BF49D3711073B06630E1E4FDB50F15,SHA256=671BA459B8C201AFE8ABD577B84CC4DBA25378B2A4D27B30519DA587A9E14D03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.940{EFF5EEA8-7B2C-6352-8806-000000008C02}4162736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B2C-6352-8806-000000008C02}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-7B2C-6352-8806-000000008C02}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.784{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B2C-6352-8806-000000008C02}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.785{EFF5EEA8-7B2C-6352-8806-000000008C02}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000236382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.565{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A3ED87D6DEFEE44FF682CAED518CE9,SHA256=2FF9FA91A3705CA4BA51F15BBB1C4653D78AD1DD6D5822035784274FD23AFAEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.300{EFF5EEA8-7B2C-6352-8706-000000008C02}8683216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.111{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B2C-6352-8706-000000008C02}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.109{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.109{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.109{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.109{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.109{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.109{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.109{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.109{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.108{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.108{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7B2C-6352-8706-000000008C02}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.107{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B2C-6352-8706-000000008C02}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:48.107{EFF5EEA8-7B2C-6352-8706-000000008C02}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:49.679{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B20F634BE29E0B5991CF52FA728304,SHA256=7F9A38E6FED74E65B32562734DE033DFFADBBF6EF34364EB85CF072A5946BF7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.889{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=08372EFD8092480C42BC0205624CBC34,SHA256=B5ACE36AF5A3865F05A01A1D3D2F213E7BE3EF344BEECF87E8EAF94586991A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.732{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF2354072AC401D7733B42A4ACAB783,SHA256=20129449AB9439608140C7EFEBEC427FBBA971D552D658C1FAD128540822F4A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-7B2D-6352-8906-000000008C02}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-7B2D-6352-8906-000000008C02}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000236398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.451{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-7B2D-6352-8906-000000008C02}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000236397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:49.452{EFF5EEA8-7B2D-6352-8906-000000008C02}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000355877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:50.721{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BD39B3C42919E88536A1E99723F9F1,SHA256=0972E281A092A48FAA84A81AB52027FA1656E5F653924DEF6C1A850A79967899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:50.799{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285D6E0B0BCFF8B3F3983B628735A33A,SHA256=BB4B85D0CEBD82B816D2955540808239B72500BCA58DA0576341BF1D6FBDEF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:50.556{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=4E1330E386BCD4D62D247C3A6EEE87B3,SHA256=700E1DD37302D33472E80F2003DA45E9ECD72448027B22415EA90E416BDF5531,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:47.328{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52225-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:51.839{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A459649F007454C8BB39C4A499FC694E,SHA256=332E7648B8A85CA763EF89E30FF350ED2B3FD29297074CE620E88EFAB377A8AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.993{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.984{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.982{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.981{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.978{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.977{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.975{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.974{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.970{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.962{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.951{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.946{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.944{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.936{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.934{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.908{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.899{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.892{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.885{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.877{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 23542300x8000000000000000236421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.873{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F68EDF0B35711E152251F97A802A17,SHA256=B726D8624D8FE5DD3F11DA3D34974781E2CDA159011C3B1A723C0B7CD779EEF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.852{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.846{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.839{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.833{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.826{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.819{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000236414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:51.815{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 23542300x8000000000000000355880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:52.938{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=224428563C1B10D4217C2552EDAA23B3,SHA256=C13076C0EEADD61181AB031494897E9C6F503730A7D15E016F282217B1D7F973,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:50.666{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59849-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000236443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:52.000{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 23542300x8000000000000000236444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:53.019{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF16782579EF8C6190E9A383B0902973,SHA256=B36ACCDCFFB74D4B90126DC3CC262332502E51DCA570FEAAFABDB67FE78DC39A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:54.057{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7BC806A72FA60325E22B149BD3C0D60,SHA256=4E79A6D3C209D2B8110F61A14C0A05008B9B8DD0003E9FC6143EF783459AFE9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:52.471{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52226-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:54.155{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511A2507520D03FC2D17D22E2CE2FC2E,SHA256=CC8A36B6BEF5D6734EC4059B9D34D8809292C6B62CB265D0A9C96F61B781A004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:55.144{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9DA07057EC6DFB1ED972F99EC8300D8,SHA256=5CB08BEFA9BA7729E5D7F231E7C7D30B2D69CAC0E0DF630DD081E5F3FAF87FC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:55.232{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1028B6790037184D8A190B6672C202C6,SHA256=925AF803793BA20B42CAF799B6E082ED2A17259B8DF006D9928EBE2CF2B1805C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:56.230{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3DDD79A0584C7660BE30ECC0715787,SHA256=420F94F46EBE75F952C7BD0BA07E06FD9BCEC1B46F48CCD0419CD278114D7982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:56.320{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D3E8201B693760AC184BD2023B4146,SHA256=B00AA5D887A7F1BF723C19C6C131E0DA98813AE8BF880235F79FC2B96BCC3B03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:55.842{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59850-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:57.315{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4642FF9C31878D7946F2946AA42291AE,SHA256=0D05E6D9E4A62B53293A28EBB32C99027D390595B39B9C0450F82EAAE8DBF219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:57.404{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D10E62EAA2D35ED37FDF7DFA322CFD,SHA256=BB3273D5DB2C13E7E6496A61C1005B275D1231FB0E914A426732E841B1A006D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:58.401{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF790E1D3275942575805099CD017FC8,SHA256=65A4167B5F0D12FBB5A1FB951D8CD33732DC6510938487D0CDCE2A7A992B243C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:58.487{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8059B46CE3E07E37653BE326688D24C,SHA256=C425270438381B6D8E37577EB9E7830088C1F51FEE51874AA5036E820B37D9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:59.574{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2EFECDE7FD681D3D20CD33B2A123265,SHA256=F5403704A6B75E5B32F8627AA16FEFD4AF7EF172950E3172BC9808E0A2C0440A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:57:59.449{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570AF8CA837557DBF44D059015A387AA,SHA256=30208317A6DF7E366B10B24B7FAD819D7412186F738F89761E2834FB36091984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:00.668{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF0C202A3313D66969DFE9805804DCF,SHA256=26B9931BFECB43D3316046CC94FFCAE3C12CF1AB6D9487CE8E85C284251E12D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:57:58.425{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52227-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:00.567{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BAA5B3FE9E4A8E04ED6A47133A5EDAE,SHA256=F13995C47D19022BEC30B5A713490CBF7096D0A38269FE1FC877AB31D240F2B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:01.748{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F96731DCE9CC995B51A9C09CAA1AF3,SHA256=6644F13E76DEA81E53B514804E15269BC8206337A9514E5CF26235D36F56B4FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:01.636{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CCDCA0F0F088CF57AD6623AFF19A12,SHA256=4CCFAE73FDF47107607BF879478E6C242F4D440B915A09AB1F1FDB2B8E5A5332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:01.320{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=470A4D1BA19F1E198E8B3511CA897875,SHA256=29BD5D30EC3E84B8646CEE60A218CAAB0A96219F129AA2FF68F651337B5F6813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:02.833{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38526F4802851428983EBAECB006E006,SHA256=FF3D045A686AC276157A80035691DF735E81AC26BF763839FF7117A1313427A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:00.848{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59851-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:02.738{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8641E3B03C229F57D49AA46625AB22,SHA256=591D6B2D1D9EFFA4B415C1A67F3585623A75E55BD67E583C82E33A353043A460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:02.221{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=1A309EE863548758AE5A66C52E4E0F93,SHA256=0AC0E8E90B274C0F29B14DE9B78DA1F5B37CCD6FEACDC36DFB96C775A1E573CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:03.926{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49167CA870572212E1ACDF817871DCB4,SHA256=C596EA09A1E1E42039114173F47D105E3DAE2B8A79B71DD2CD06473DC10254F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.965{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=90340AEFBFF2DC3210675132728BA956,SHA256=B7B0825E9DF36515B98969132D6660EC06C0273A4BEB15C15E54D855F6F1AF39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.879{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.874{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.871{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.857{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.853{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.844{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.833{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.830{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.827{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.825{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.819{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.812{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000355905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.803{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F2478DD3C7FF1977C26F4BFA3124163,SHA256=E3656FBB2141D95AC3188EAE073F8EDAEDB76F94936DBE5E7AD6EF47485C24CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.793{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.773{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.747{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.727{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.683{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.666{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.650{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.633{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.622{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.548{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:03.542{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000236457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:04.996{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA8D6D47A6368EF7F542D1AE86F93A0,SHA256=492B1F6EBCB0AA60AB7966FD754B60A4ACFD63B473ABEB6CE9EC7E0ECA03D9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:04.853{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09ECAC4F83B7B03F7DD212C68C5D6523,SHA256=709314ECFD02CE4206C9D7153F54FE313D2587E77E358F8DEBBA0A77ADA4F299,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:04.412{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:04.409{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000355922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:05.964{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0121D89F1BC04BC61F098645AF9A7079,SHA256=57CAFFD76A77EF97EC240EDD838FA0AEA4F5708E0B669B3A3B82B2D3CCB08005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:05.909{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FDA46F61FBAB715CF26E598726B736CE,SHA256=A231FEFABDC8DA30D2C4738561509C4FDC162913AE13F15ECCD90C5F6919A0B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:04.380{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52228-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:06.089{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7F8511ECE328AB56105315B3B785C2,SHA256=DE03E5717596B3E987B27B373D512EA9AF77BEB5226E0182D8B080E866E03E78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.985{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.980{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.973{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.967{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.965{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.962{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.960{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.959{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.957{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.956{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.442{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.441{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.439{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000236461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:07.179{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000E9C7B353B8636ABB02831EEDA35DC,SHA256=8FFD3C2142C8DFDA5AB021CD6234297D90F000DC4B53F461F78355E745998FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.481{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC909C6F85B6238CEC6EB8885490711,SHA256=D8744754929CC434BED7096315B03B92D90C4D3142113C7E4C4B8A181CFD4F3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.273{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.271{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.269{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.266{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.262{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.260{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.257{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.254{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.251{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.248{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.246{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.243{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.240{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.237{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.234{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.231{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.228{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.225{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.220{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.216{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.207{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.203{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.200{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.197{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.194{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.190{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.189{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.187{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.183{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.182{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.177{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.176{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.175{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.173{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.135{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.125{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.121{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.121{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.119{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.117{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.114{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.112{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.102{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000355942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.060{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F60082E5D880CE2A102BC868FD7C17,SHA256=36D211A1F024835EA96FF6018F00730213ECCBFFFCE3A00B01737B66CCD40E4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000355941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.059{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.052{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.050{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.048{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.026{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000355936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:07.008{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000236465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:08.709{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:08.709{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:08.709{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000236462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:08.268{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53DFEB6919C53ED7A3F71C23CE8C4C0D,SHA256=86F6AF5F96962CE1A643E7000776AC8705A155FE4FB7F9B544DDDA8C53F34487,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:06.787{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59852-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:08.041{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66898D8808E870990A829BB55E2CC0BD,SHA256=5C96CD7EEC7CD60F3B893A3A41A0E8A00C4B1886CA5EFC149B4BBDF38C59E29F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:07.179{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.35.114.12-59994-false10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000236466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:09.360{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5F30B3C6FCB9A1A341D3790D72E908,SHA256=7316DC92B34F9F6B21E733D3F2C4E5DED6B0D21E128104378C07B24A7C5967BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:09.157{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62509F8105029329EDDF4182B188B6F2,SHA256=6B6F23FF00826AF0967050F9302647E2228FDCB33D832054378879D1439685CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:10.444{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9279100AD5649CB9D161481723978F27,SHA256=C93D6E2974A50AAE5F0BD03079CBF4C9180BDE074453147B8F36EADBE5549F8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:10.259{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A634E4F0C249856515F24F658130A0F8,SHA256=875EE015F30217250801F9579D1E171C21B9B4B320FE8D157754C2569619AC14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.996{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.993{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.976{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.971{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.955{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.947{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.939{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.930{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.909{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.904{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.897{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.889{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.876{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.854{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.849{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 23542300x8000000000000000236469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:11.516{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6C4653130AFB278996C0CB57AD0E2A,SHA256=F786A3F688D319EECCA983C113F6663C49D697668CB6352A0F82B9D1764EE57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:11.279{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8159682CFF7B17CF724AD851DDEEF2D4,SHA256=CE79F730CA8DC3F682AFB5428E39A7D7CEE6C75CD1B7E38B9941D8ACA135C65D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.785{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083456C22710AB6787CA8B797960BD77,SHA256=7B87F60AF60C6E7D590393375CB32924890B189F7EB408B90F3D00449D8FBC09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:12.362{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B2387DA9D4B556CF7C05519B812C4E,SHA256=96B6B919B972061DE8C33DED6BD0E1B99186BF72CFD80EB818E8F97568E1DAB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.466{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=396FA83D335579C915CCFAA570CCD519,SHA256=8F31CBFB1C9A0E78AD80E073F65E993584BFD52D88E655E44A7D8D98295B2CE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.033{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-7132-6352-5C05-000000008C02}2376C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.031{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.029{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.026{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.025{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.023{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.022{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.021{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.020{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.017{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.014{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.006{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.003{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 10341000x8000000000000000236485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:12.002{EFF5EEA8-4860-6352-1F00-000000008C02}12003652C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BCA2850) 23542300x8000000000000000236502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:13.875{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628BD1A6A3BF7DAD2E5E3379F6C1C0C1,SHA256=78A01FE573FB8F07924522BC317D79AE63B5186FECC04B74F55BBE516E598D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:13.381{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BFC7520965A545D28AB07F88B220D8,SHA256=3DD6F49F1CC4202AFCED11E33D1302CF6122D074B21C8B7285D67A1A032C17D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:10.297{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52229-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:14.942{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A849CC723C9E7FEEC45E85A13807031E,SHA256=531684B9D1D88FACE81120B4C2388AB3B031A6C9CEB772ECEF91DFF7F4B36687,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000355995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:12.691{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59853-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000355994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:14.435{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB0AF0F1A156492DE7981B392FBC851,SHA256=A4179C74F1772C422DC6FFB3D860704B19B790C79DE025955DFD911152C65CBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000236506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:14.431{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:14.431{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:14.431{EFF5EEA8-485E-6352-0B00-000000008C02}6283944C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000236503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:14.417{EFF5EEA8-485E-6352-0C00-000000008C02}7243312C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000355997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:15.952{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4928.xml~RFc6f2d8.TMPMD5=D777C4FF4D0FE2AF046674A553B5BA40,SHA256=4E51C513F20A061CDD46B203229FB664D4B776DAD877EF7FC8069A88A4BEDD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:15.468{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5458C2B78E9A8118D5A7E2C98B4FFE53,SHA256=98894028B31D2CAF260B8D0F0F4C7A5B61D5ADBEE4F428AC47AF946A71429BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:15.113{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5AF0CA7AF8FDD36F742655EF9B652B63,SHA256=9A0946B4696874E59624ECFF7CB8E7FD81AACD861544EB792BE61B3D7762C8BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:16.568{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A78CC0E0310FEE355906F81A6F6CF9,SHA256=BBF6A61EB1621EF5D91567ADA73863A5421497F5B80461720A98827D0906295C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:16.038{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713E0A540AA698F37313159432E26934,SHA256=F6B8B249DB16549E4E0594178D0E12EB9EAF6A64E12D7CDC5BCAAA7A1C08F253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000355999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:17.613{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420BA268A52251F4543105C28A461A4C,SHA256=378B5E2BB4458125FF5569964B6343A554D6AC5D9B2965560D9ACC9B6EE3E2C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:17.132{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C5E12A9B0199DD344AF79D67331497,SHA256=E5A53D5B89A0C549A54D3290996A9AAE989502BE19929D70E9A8E31D9E6E3813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:18.714{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BC72ECFA485A9766A683DBF0AB4F7E,SHA256=0EEB5B6612CE74F4399DC922B8AA4C8D316ACB5B42D271439AC0A2DCC576FE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:18.228{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D7855658DE2CC92922E1222DF1457F,SHA256=48554A0AB32DDFD2D29243F4458E91121708B3263EED70DCBAE7B056635F8D15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:15.427{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52230-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000356002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:17.868{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59854-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:19.741{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B94F16EF58301DFF400258041C1FA2,SHA256=92E30ECB3E83E307B25C7BB66561D6349BDD4C795B9275B7D19F954E85626AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:19.313{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C973A4C09A39889A839E6627176FFF,SHA256=C40476112D15A708E320D5C1D2EEF170597C9AEDDA0A0661010E57A85C6DA3BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:20.816{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5BBADBE09077A0E2838E13030BF1EA,SHA256=3681B853871E7A28DB2393C327E0C3F78E41C86472EA7A1D67DD4EB3EE34F906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:20.386{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF30BCE35A14BF6974A2313BBCFB00D,SHA256=B152CC52C56BAC5FAD1C5FB23AB8F61378092D7DE1BC64264A506A7D84AE3C1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:20.492{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:20.491{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:20.491{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000236514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:20.063{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A03527E18466B11BE68A9230CBE300B9,SHA256=9C37BF92838391C2264AD75A57FB0A53AD23220E7F3A36C4BA741BB4420E7999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:21.917{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CC117BB1F8FFCF23A1CF66BF50E705,SHA256=24ECE726E82BD50AD128AE5538A9518657A365E5B1ED6F639D1D9B8C15C629F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:21.461{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=319480097B6552A16B3232D198204CFB,SHA256=C688B396521E23336E5DCB84B17351592BD1B2B2F517C495F404AC7CBBC3C05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:22.993{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048CD995D0475BCC2741DA8C19F69F1B,SHA256=4C43BF66B138F6E02AFEEB7C5E5F72BB7ADC5FBD1ED4DC008E441B6D1E51250C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:22.553{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8500397C46EBE08C38E1BA3988F5BB9E,SHA256=DFC4CDAECB475FE52E18A5D30CD826B0DF9C4E2DB5331A0480B9FE86EDA97AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:23.633{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A554A3EAE342BB792BCD0DE53F6C799,SHA256=E61F712DAC19A09D162E413CFB084BBF49870A633143584A60FEF7A100F80E8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.840{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.837{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.833{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.827{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.825{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.818{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.811{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.807{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.805{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.803{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.796{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.783{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.765{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.757{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.747{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.738{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.709{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.694{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.683{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.670{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.655{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.576{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.573{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000236520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:24.721{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5985AF471A16DAF0186169C48AE616C5,SHA256=204BE8E8EBA539198C0126A12FE8120F82C814F39A047E638AFF395A177E08DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:24.250{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:24.247{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000356032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:24.073{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A410EBA71D965611EA75112900E77277,SHA256=BB46332BFEB7E8D444E0579109003EC810EAB1CED9543C823EBF9F9929E04072,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000236519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:21.430{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal52231-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000236521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:25.828{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11FE98B793ADD9E6B1AD35F5250E2AC,SHA256=512A8E0502B9962E9CE97978303313AE8E5C490085F3FF1665E6FAC156C24BCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000356036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:23.824{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59855-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000356035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:25.161{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FB3D0652444F112CDD2160C2F40FDD,SHA256=5AAA77F4B4E9E1B63BA264716D518D61F302791CEA3FF45D51D5A6F56AF54BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:26.934{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E931A5A0729D54BF91E834D724D8A9BC,SHA256=697F7A3A591E988280A44F3A3F3B434849F6658A63063FBC4AA443ABCCBE1C2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.995{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.937{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.931{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.925{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.922{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.899{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.884{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.851{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.846{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.837{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.833{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.831{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.829{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.827{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.826{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.824{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.823{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.297{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.295{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.293{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000356038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.199{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9FB6962F3C9291A7A2356E87E2566AC,SHA256=482D4DA13922CCF80ABA8633AB1EE858000DD69CF2323C322C02E5D66FE25C0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:26.023{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000356102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.647{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79DFE34E92F0BEA31F5A6A1317DFC9F2,SHA256=7C9D64C1C659938BEA60F55B9AF5A94A779A4E4E5473DC93477FA3B0A18D4161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000356101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.647{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B230620FFB5DDBF79DEA8C2F509199,SHA256=B291131D42BDF999C4DCF622205E5A53AEF8862CF7262309A7E0C4FE25C02D42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.195{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7157-6352-9306-000000008B02}10072C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.192{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7139-6352-8A06-000000008B02}7824C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.189{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7137-6352-8906-000000008B02}8720C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.182{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8806-000000008B02}8772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.176{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711E-6352-8706-000000008B02}8764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.174{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8506-000000008B02}8612C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.165{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8406-000000008B02}8312C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.162{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8306-000000008B02}8272C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.158{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711D-6352-8206-000000008B02}8264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.152{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8106-000000008B02}1468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.149{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-8006-000000008B02}5148C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.147{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7F06-000000008B02}7100C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.137{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7E06-000000008B02}6992C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.134{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7D06-000000008B02}1332C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.130{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711C-6352-7C06-000000008B02}3772C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.123{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-711B-6352-7B06-000000008B02}7936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.121{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7A06-000000008B02}6368C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.116{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7119-6352-7906-000000008B02}7336C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.113{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7118-6352-7806-000000008B02}5688C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.111{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7706-000000008B02}8168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.108{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7606-000000008B02}7796C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.104{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7117-6352-7506-000000008B02}7076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.101{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7113-6352-7406-000000008B02}7980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.098{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-70BA-6352-6306-000000008B02}1092C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.095{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-7043-6352-5406-000000008B02}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.092{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F52-6352-2D06-000000008B02}8004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.091{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6F37-6352-2406-000000008B02}6000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.089{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-6CCA-6352-AC05-000000008B02}6988C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.087{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.086{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.083{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.082{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.081{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.080{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.051{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.048{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.039{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.035{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.034{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.029{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.025{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000356059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:27.017{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000356120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.747{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E249D78A6F59E051D2AC25D8852D3D4,SHA256=FD2DBBD1B31EA3786715304F10A6CE472F869C0ABF5B4CC212061BB87EF249A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000236523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 10:58:28.011{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7CC43A05F923B729C16BB96F0207EF5,SHA256=B4D8877602DA7FF4EAB25CAEACAD3E04A540894F30C7B9F7DBDE34377CC1336D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000356119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.590{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B54-6352-C007-000000008B02}9520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.590{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.590{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.590{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.590{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.590{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-7B54-6352-C007-000000008B02}9520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000356113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.590{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-7B54-6352-C007-000000008B02}9520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000356112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.591{30B46F62-7B54-6352-C007-000000008B02}9520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000356111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.295{30B46F62-7B54-6352-BF07-000000008B02}86805152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.062{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-7B54-6352-BF07-000000008B02}8680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.062{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000356108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 10:58:28.062{30B46F62-485E-6352-0C00-000000008B02}8326980C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 1034