23542300x8000000000000000258111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:55.905{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF891629EDB13495AA7412461E880DB,SHA256=8133F7C6CAC2B90BE59D8E5AE915F09473634709332368F4994F0D1848CA979B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000110965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:55.716{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8290C76AA8D23B831CBD1064D8AD8FAF,SHA256=478B1950BD2497D41FD08802B2FD970431C970B9B13478168EC16AA4A09E1737,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000110964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:52.329{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50012-false10.0.1.12-8000- 23542300x8000000000000000110966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:56.806{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB617CD9757DFDF260B4E5F6976CC04E,SHA256=C0A835E8C11EC8E7378B3DBDBA6122EC98FA300C262C90FFADA9688931507453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.888{F522A29C-404E-63DA-D900-00000000BB02}4532ATTACKRANGE\AdministratorC:\Windows\System32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V010000A.logMD5=0F5C6E0B6268ED2FDA573C7D2975F2C2,SHA256=C9C9DBBB044676ABEAD195E653671F3FA6B15C57EA43A71E56C0B21B83EC4D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.882{F522A29C-404E-63DA-D900-00000000BB02}4532ATTACKRANGE\AdministratorC:\Windows\System32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V0100009.logMD5=95ACA2FD15856679973AFFCD46E3B30E,SHA256=18B94E0AE943CA854EAA31CCD8838E70D14571104F888C0E3933B3E7708C93E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.856{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2900-00000000BB02}2620C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.854{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2700-00000000BB02}2580C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.846{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2600-00000000BB02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.840{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2500-00000000BB02}2496C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.837{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E15-63DA-2300-00000000BB02}2352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.836{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0D-63DA-1B00-00000000BB02}2032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.834{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1700-00000000BB02}1388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.811{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1600-00000000BB02}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.806{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1500-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.792{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1400-00000000BB02}1064C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.788{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1300-00000000BB02}936C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.782{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1200-00000000BB02}508C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.776{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1100-00000000BB02}444C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.768{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1000-00000000BB02}388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.759{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0F00-00000000BB02}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.753{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0E00-00000000BB02}104C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.746{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0D00-00000000BB02}920C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.739{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0C00-00000000BB02}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 354300x8000000000000000258115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:55.095{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52393-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000258114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.710{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.707{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0A-63DA-0900-00000000BB02}596C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 23542300x8000000000000000258112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:57.467{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA5BE5562F3B24EEBDBF493376ADCBE,SHA256=4A9179D9A0A0547605F34D87429F923013A7ABA74958233480E2C7585C93A522,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000110995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.383{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E80-63DA-8200-00000000BC02}584C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.381{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.379{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.377{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E09-63DA-4200-00000000BC02}1880C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.376{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E08-63DA-4000-00000000BC02}1748C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.374{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E08-63DA-3C00-00000000BC02}2976C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.373{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2B00-00000000BC02}2880C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.372{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2600-00000000BC02}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.371{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2500-00000000BC02}2332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.368{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-2300-00000000BC02}1400C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.363{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-2000-00000000BC02}2040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.360{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.356{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.354{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1D00-00000000BC02}1972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.334{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1900-00000000BC02}1816C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.323{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1700-00000000BC02}1180C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.321{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1600-00000000BC02}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.302{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1500-00000000BC02}1028C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.294{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1400-00000000BC02}964C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.288{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1300-00000000BC02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.282{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1200-00000000BC02}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.276{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1100-00000000BC02}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.271{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1000-00000000BC02}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.267{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-0F00-00000000BC02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.261{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-0E00-00000000BC02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.255{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0D00-00000000BC02}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.248{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0C00-00000000BC02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.242{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0B00-00000000BC02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000110967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:57.240{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762528C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0900-00000000BC02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000258141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:58.169{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3000-00000000BB02}2856C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:58.165{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:58.163{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2D00-00000000BB02}2656C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:58.161{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2C00-00000000BB02}2648C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:58.155{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2B00-00000000BB02}2640C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:58.151{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 23542300x8000000000000000110996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:58.204{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C449FA6556AEBAB7EA1EB48EDBC12581,SHA256=2620D81AE6AB50469A430BFB39AB5246E305131FB66D26F14D40269BCD7E5118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:51:59.072{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D280916D262E59CB7893ED14C44AEE3E,SHA256=C6835A2366FF4AEBF3A9596E547B8353385823CFFE7404CECE4FDB3F959DAA56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000110997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:59.322{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775662BF39598133B977E90D762DA024,SHA256=2071A2DFA2AF128FE2AF68F629D0B9F94F35761AF7432B2C5FCF614FEC81FAF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.835{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4380-63DA-7C01-00000000BB02}4804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.834{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4380-63DA-7B01-00000000BB02}5680C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.818{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4050-63DA-E200-00000000BB02}4992C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.799{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.751{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.741{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404E-63DA-D800-00000000BB02}4508C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.723{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404E-63DA-D500-00000000BB02}4408C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 23542300x8000000000000000258155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.711{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=444EF04063501DEF33083F5C0AAA6BE7,SHA256=F19EE1871FF61146853B07B278AC5EC1A492FE4B11DCF1D1AA4877CE9BD59FC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.708{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404C-63DA-D200-00000000BB02}2060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.706{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404C-63DA-D000-00000000BB02}4032C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 23542300x8000000000000000258152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.704{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F1670D3B8A6FA12A9CB5E18F2E76A3,SHA256=CB83B5B9195CCB716C04487CD6355913253A5BF156E84B0C75E830575DB0F7D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.702{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E94-63DA-8900-00000000BB02}2244C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.696{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E2D-63DA-7B00-00000000BB02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.692{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.685{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1D-63DA-4A00-00000000BB02}3800C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.684{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1C-63DA-4500-00000000BB02}3616C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.682{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1C-63DA-4400-00000000BB02}3596C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.680{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1B-63DA-3800-00000000BB02}3248C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.173{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3300-00000000BB02}2192C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 10341000x8000000000000000258143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.172{F522A29C-4060-63DA-E700-00000000BB02}58681892C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3100-00000000BB02}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015BBC190) 23542300x8000000000000000110998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:00.413{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE35F25FC421FD5E046189FE8A7589A4,SHA256=F554E7C99E6A685E46922FD09603B5BD064F16A68D88192C7097D8C79214A380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:01.507{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA5B76B354EB516049E600DEBBE25FA,SHA256=7A2E1C6656A5AF639742950C870CC8FEAE7A44470525FC4FF6E3947CFD96A180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:01.495{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61F6DE5520342D133FBE2BD804496C5,SHA256=2046CDA5FF9593358A3D677F435752F339A3F5B46A0469E21F61F48F7B937079,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000110999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:51:58.162{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50013-false10.0.1.12-8000- 354300x8000000000000000258164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:00.124{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52394-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000111001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:02.579{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3831E502C4AF35A792E1FCA44D6D7D76,SHA256=C96187B905E7D9CFCB01A085B8DC24CF28CBB6B6D5AB918458CE0A11089837FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.653{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.653{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.653{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.653{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.653{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.652{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.652{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.652{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.652{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E200-00000000BB02}4992C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.652{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E200-00000000BB02}4992C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.651{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-4050-63DA-E200-00000000BB02}4992C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.651{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.650{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.650{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.650{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.650{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.650{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.650{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.650{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.649{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.648{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.648{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.648{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.648{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.648{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.648{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.648{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.648{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.648{F522A29C-3E0C-63DA-0D00-00000000BB02}920940C:\Windows\system32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000258165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:03.115{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E6E0184F7BC8709FD77347BE8CE7F4,SHA256=8B1E58A56391FD6431F6EDCA25E90AA63769F4ED4B7043B60B0B244A578A89FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:03.666{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9EADB6F6E5E8DA185A96B3DF505429,SHA256=7AE303CE021AC3720CDDB64FA56050D6EE1E7D1F32CCCDC0C46E2E0B06EDE383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:04.147{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA769E2039252EE60F8AD0B91C1C4C8,SHA256=BB086780964F3BCD859E5863AEFF8EB8F18A08A0DF8C34E89BAC18BD1AC37526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:04.748{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3563C3CF37C7AB4A79C04BE05BC17AE,SHA256=EF7FFC92241824B2DF208E8FD3DAF63791E21E45CA972EC8A52694F9830423C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:05.701{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB600585764C8CE76F398DA1DD55AFF,SHA256=7D7ED0BC4601ED6270F45C1568B2A905E8AFCD58720D40DBD60766D36F750F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:05.842{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE82BECC429A863E02789D84F57CAC98,SHA256=7F8FFBAAF8D9B1072667066893472B3878B1FEDA53CB84C1127EC6237D2D376E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:03.275{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50014-false10.0.1.12-8000- 354300x8000000000000000258210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:05.132{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52395-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000258209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:07.341{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69D499CC2C57CAF74161E24F966A15D,SHA256=194C30D82E0A545DF51538EAC507A29BBE04C764482833B8DF041EB38832D476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:07.044{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F53E1CE66CBF09EEA3AD0F480CFF594,SHA256=C23E468CD2ED449AC06F01AB169CD0A5FADB09E42DE54883F2DB3AF8C6741B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:08.937{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E92D5C2D99324EA8DC92631C8754342,SHA256=2B6F6D95DD08471ED66FF21CB24AD1CD82302A7A84386B1A2F12BF48F3F3248F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:08.129{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F514028689F1BC0E55C8711C7FD922C,SHA256=398A20F5967B973A52B1CB35D1940A54C8718FF7F938E75A983FF2CFE6EFEA74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:09.223{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2782ED2A251D7314D6661EB0A507D9EE,SHA256=18DDD65B4973D7A52DD00C59BF4D64D8FD6FE44583B96DF08F2F7E2D15D0B462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:10.545{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F325D949B862AA78667509BDBCDD799,SHA256=B5426BEE988FDB8D9704B57B825E8A1B0FAA217E8566326912EC09880A03C66B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:10.320{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1D59F37BE2891556DF40F41C18CB2A,SHA256=A9BEFEAD855B710F63B8C407E5E582079AA1DED06D73E604B1DDDFB0ACB70520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:11.970{F522A29C-3E1A-63DA-2C00-00000000BB02}2648NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0952d6a09371e4319\channels\health\respondent-20230201102532-025MD5=C992C93F6889836CE81093D64446FB44,SHA256=44CC6EB9534D1C68ABEFC8F37C94D933CD5A53D96A5B79ECC0CFE8E440E1AC73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:09.159{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50015-false10.0.1.12-8000- 23542300x8000000000000000111011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:11.403{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7EB3140686A07BFD1504F98334B10A4,SHA256=D0003522912EB6CF2913CF3EE7F78C8C787E9A1CCBA0426FADC903DBA93D457A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:11.339{A4BA2B7C-3E06-63DA-1100-00000000BC02}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0A6DF1650331BA0D87647EAA8F9192C7,SHA256=177061C01C71B6036A53692F7CEBE3C2EF3572DEA3255CAAE1556B657856BA94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:12.991{F522A29C-3E1A-63DA-2C00-00000000BB02}2648NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0952d6a09371e4319\channels\health\surveyor-20230201102530-026MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:12.154{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713CA82911CCF903F8E5EBB94CD6EB11,SHA256=3358FC8665CE5D76D3D05340057DB248231F1F8A89427856090F550072C98B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:12.392{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977EABE077B113D5E4E5FE218BF5C9E4,SHA256=C347267F407DD534565AD7095D89D46780E02C65761745F32278B2D7560DC270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:13.764{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E5513EE5C676137D04F08EDD772520,SHA256=FF4FD0E143CBA92E6E363A0737B6180C170D6DDB8DF0E18A44460EAEE7CDBCC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:13.492{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027503CF488FCC2D85CD6A4F5DDAE69D,SHA256=A009329719DD717C60311E7CB7D04CC30EF810EA345F06CEE0A46800993160FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:14.567{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E63F0E381752DCA13B52500A8610A6,SHA256=18BBD8AD7A63553C4238296973E5B100F3C1DE9D6362130DFF248858F659082E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:11.122{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52396-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000111018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:14.594{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3439CF6F8BF19CA0F5339275608ECFB,SHA256=BB7BFEEB9F0A7946130FA5D8EFF741B632B9FF099670E9C35FF5F65901833258,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:14.309{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1300-00000000BC02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:14.309{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1300-00000000BC02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:14.309{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1300-00000000BC02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000258220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:15.515{F522A29C-3E1A-63DA-2E00-00000000BB02}2692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=087A3F00A29E6FAE4BA2AFEC5245B00F,SHA256=9A8847B05C0318551A9EE6B4C89F70D6E17F80BE49826498513068A146DB82A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:15.371{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F99C8EB3C0CACD87276EFB90864F53,SHA256=08FC38221C0D953EC1FBF1FC79FB7A5D38556DDB6C8940BDB36E32783FFB541A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:15.695{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD54F9065EDF011DD711CBA0C29C85D,SHA256=9BF42B5337A11F232F962897F6A672DA9480553B71ECEF27117E82BD86DA5140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:16.972{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982E6DD15F0CA87BFCC597B10EFCEBE6,SHA256=A5ACBCD05016C9CA0CE1DA04A24799958F5A0C693335C2540914F8837A8ACCBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:16.174{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B40D8A5366CD1E40A870D113A2FCA6E3,SHA256=499B6A132BFA7A72661D23204512B786CAC09B0030685CB86CF0AA8CD01EEA47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:14.295{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50016-false10.0.1.12-8000- 23542300x8000000000000000111020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:16.795{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A190724629E7363813E7BF6300009B,SHA256=9F0458D047BFF4A9040FD64D763F0266DBA6C3A78EB882FA4C87193D54681A28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.893{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2900-00000000BB02}2620C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.892{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2700-00000000BB02}2580C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.882{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2600-00000000BB02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.867{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2500-00000000BB02}2496C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.862{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E15-63DA-2300-00000000BB02}2352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.858{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0D-63DA-1B00-00000000BB02}2032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.848{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1700-00000000BB02}1388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.823{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1600-00000000BB02}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.818{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1500-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.807{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1400-00000000BB02}1064C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.802{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1300-00000000BB02}936C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.795{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1200-00000000BB02}508C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 23542300x8000000000000000258232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.794{F522A29C-3E0C-63DA-1100-00000000BB02}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=504DD3C6FD24CC1D3BE7B4441EDAD862,SHA256=3D0AF6873DDAADF40CCE56D8C67A808DBC1672754735739BC464927BD4DD2759,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.788{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1100-00000000BB02}444C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.780{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1000-00000000BB02}388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.771{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0F00-00000000BB02}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.761{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0E00-00000000BB02}104C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.753{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0D00-00000000BB02}920C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.744{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0C00-00000000BB02}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.720{F522A29C-4060-63DA-E700-00000000BB02}58685992C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x8000000000000000258224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.714{F522A29C-4060-63DA-E700-00000000BB02}58685992C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0A-63DA-0900-00000000BB02}596C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 13241300x8000000000000000258223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-SetValue2023-02-01 10:52:17.068{F522A29C-3E0C-63DA-1000-00000000BB02}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d9362b-0x40140fb6) 10341000x8000000000000000111050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.387{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E80-63DA-8200-00000000BC02}584C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.385{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.383{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.380{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E09-63DA-4200-00000000BC02}1880C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.379{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E08-63DA-4000-00000000BC02}1748C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.377{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E08-63DA-3C00-00000000BC02}2976C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.376{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2B00-00000000BC02}2880C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.375{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2600-00000000BC02}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.374{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2500-00000000BC02}2332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.371{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-2300-00000000BC02}1400C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.361{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-2000-00000000BC02}2040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.357{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.351{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.347{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1D00-00000000BC02}1972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.341{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1900-00000000BC02}1816C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.329{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1700-00000000BC02}1180C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.328{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1600-00000000BC02}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.307{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1500-00000000BC02}1028C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.301{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1400-00000000BC02}964C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.295{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1300-00000000BC02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.289{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1200-00000000BC02}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.282{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1100-00000000BC02}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.275{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1000-00000000BC02}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.269{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762856C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-0F00-00000000BC02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000111026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.262{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762860C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-0E00-00000000BC02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038F10) 10341000x8000000000000000111025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.259{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762860C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0D00-00000000BC02}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038F10) 10341000x8000000000000000111024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.252{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762860C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0C00-00000000BC02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038F10) 10341000x8000000000000000111023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.250{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762860C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0B00-00000000BC02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038F10) 10341000x8000000000000000111022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:17.245{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762860C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0900-00000000BC02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038F10) 23542300x8000000000000000258252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:18.755{F522A29C-3E1A-63DA-2E00-00000000BB02}2692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=497B4968F2EF9EF7DA49A4337D0C090D,SHA256=26DC17B4E8A2CBC1618152473C4DDDDFAD73337594DA0C5AB5D15675F950E537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:18.579{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70AE3A8A48B440B2F6993297D5CF294F,SHA256=3BCC857E300F181060F2DF824147A61EACB73F232AD372AA05882410939B4E35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:18.268{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3000-00000000BB02}2856C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:18.264{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:18.261{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2D00-00000000BB02}2656C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:18.259{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2C00-00000000BB02}2648C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:18.254{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2B00-00000000BB02}2640C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:18.250{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 23542300x8000000000000000111051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:18.005{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABDD6095D540F9BCEC9DEBC9C0C49B2,SHA256=4AE58F0054571FBBD87135BC86576416EE8D8A137241BECF43E87EDA8B19693C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:19.386{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F732893BBECECA5F09487521B5AA7A9C,SHA256=1CD517C98432B41BAE6657BEBBFA6B8EF577BD075F1B009A34A951838F4B8D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:19.091{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309871E178B29BF92FDDEFB85502E8DA,SHA256=DA7BF436CE0A9035C28769C63DF9416293F884C96D024B6A502495BB2903BF27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.998{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404C-63DA-D000-00000000BB02}4032C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 23542300x8000000000000000258265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.996{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD99B575784D3F6F8DB065059FBC2D66,SHA256=FB1CCE2952D742B9F17A5556A2ECFC3F2A16A741A86C1D7C6134F69018633C5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.995{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E94-63DA-8900-00000000BB02}2244C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.807{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E2D-63DA-7B00-00000000BB02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.804{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.799{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1D-63DA-4A00-00000000BB02}3800C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.795{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1C-63DA-4500-00000000BB02}3616C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.793{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1C-63DA-4400-00000000BB02}3596C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.792{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1B-63DA-3800-00000000BB02}3248C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.285{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3300-00000000BB02}2192C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:20.284{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3100-00000000BB02}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 354300x8000000000000000258255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.712{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52398-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000258254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:17.115{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52397-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000111057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:20.338{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E05-63DA-0B00-00000000BC02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:20.338{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E05-63DA-0B00-00000000BC02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:20.338{A4BA2B7C-3E05-63DA-0B00-00000000BC02}628676C:\Windows\system32\lsass.exe{A4BA2B7C-3E06-63DA-1500-00000000BC02}1028C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:20.325{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-2100-00000000BC02}876C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000111053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:20.196{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0B16C0CFA27C7488EFC8C6E1A6B18F,SHA256=6F967AFE0944D3378FA4C4CB14BE04BE7FC826089709E8A847B1A31F759167E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:21.647{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-4060-63DA-E700-00000000BB02}5868C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:21.089{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4380-63DA-7C01-00000000BB02}4804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:21.088{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4380-63DA-7B01-00000000BB02}5680C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:21.075{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4050-63DA-E200-00000000BB02}4992C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:21.055{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:21.030{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:21.021{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404E-63DA-D800-00000000BB02}4508C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:21.009{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404E-63DA-D500-00000000BB02}4408C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:21.000{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404C-63DA-D200-00000000BB02}2060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 23542300x8000000000000000111059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:21.715{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=497B4968F2EF9EF7DA49A4337D0C090D,SHA256=26DC17B4E8A2CBC1618152473C4DDDDFAD73337594DA0C5AB5D15675F950E537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:21.262{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D7633BDD261D6435C3F58A1760F25C,SHA256=13656106D6E442AABE6C2740959D05C6C61ED6A059084EA6F939C132631A69E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:22.654{F522A29C-3E0C-63DA-0D00-00000000BB02}9202204C:\Windows\system32\svchost.exe{F522A29C-3E1D-63DA-4A00-00000000BB02}3800C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000258276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:22.591{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E0A3D4D1A0DA538F95A34AC9D5CCBF,SHA256=5B357B6B4C47769413B2D2E1A4457744FD592AD3F38637EB7676411BA930C86C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:22.366{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0E7352980C0537F5E0C27B369E9E8F,SHA256=716FB6418BADB35DDB0431787C5550855B3BEF951A61BD2F521BB4B9FC034109,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.467{A4BA2B7C-4467-63DA-5901-00000000BC02}10483456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000111076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.467{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA0393755FF019F7CD9F2AA91040A5A,SHA256=9A01FB72E54220BF787AECCB8F54ED4FB3B24455B7E17F319F1FE679C92C9B6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:20.790{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50018-false10.0.1.12-8089- 354300x8000000000000000111074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:20.130{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50017-false10.0.1.12-8000- 10341000x8000000000000000111073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-4467-63DA-5901-00000000BC02}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E05-63DA-0500-00000000BC02}4121192C:\Windows\system32\csrss.exe{A4BA2B7C-4467-63DA-5901-00000000BC02}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-4467-63DA-5901-00000000BC02}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:23.327{A4BA2B7C-4467-63DA-5901-00000000BC02}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:24.210{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AE9E07E666243FBE44F9DA15972A39,SHA256=913853DEE15D185C2961B9500B5467B13A2F8660609B80E1A577A184B27A749D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-4468-63DA-5B01-00000000BC02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0500-00000000BC02}412428C:\Windows\system32\csrss.exe{A4BA2B7C-4468-63DA-5B01-00000000BC02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.601{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-4468-63DA-5B01-00000000BC02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.603{A4BA2B7C-4468-63DA-5B01-00000000BC02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.554{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D5FEAA6212EDEF37248D0ECFFB97CC,SHA256=1E98B22AF6604E57E96AB9E0F0499E7FD2995F744CBFFE562C7014436926D4EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.429{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6678253902B0AE492B42A4D0C5FC44AD,SHA256=2638CA0E46C23EFAF759D5D476AF5D51C1C1EDD0E326CB561218E82659963A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.116{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8AA1D5DDDAD2221A5DBA1EFA343399A0,SHA256=A3FB0A96512148B0C88F50ED88310C6ED67CB2A9EB5A07E303E5670A13D971B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.003{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-4468-63DA-5A01-00000000BC02}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.002{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.002{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.002{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.001{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.001{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.001{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.001{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.001{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.001{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.001{A4BA2B7C-3E05-63DA-0500-00000000BC02}4121192C:\Windows\system32\csrss.exe{A4BA2B7C-4468-63DA-5A01-00000000BC02}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.000{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-4468-63DA-5A01-00000000BC02}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:24.000{A4BA2B7C-4468-63DA-5A01-00000000BC02}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:25.798{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A418D21BBCEEA84154BD0AE28DA5E0B,SHA256=0DC4CB8F5CC2BD7E3485BA47CBE7D055E6760AF376731703961EFE47F0DBCC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:25.646{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42FD5394CC44B21C6F2D587614420C53,SHA256=E803534A9AD4B932270903074582222EBD59455AD90299182988846932EE0E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:25.178{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=92D86D63CEEC55D4F2F771DE7ACBF992,SHA256=B075B4556ED4F5C6B84289FFA66ADD35298EC69D2BE9130FD6BCA699ADD382D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:23.038{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52399-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000111123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.822{A4BA2B7C-446A-63DA-5C01-00000000BC02}40563884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000111122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.728{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BC219B22A2033867FC66A525643170,SHA256=9977148CCE6E2B56AAC19D7359114C466FCFA089AA9FFA6BD683A47F9A2EBD40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-446A-63DA-5C01-00000000BC02}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E05-63DA-0500-00000000BC02}4121192C:\Windows\system32\csrss.exe{A4BA2B7C-446A-63DA-5C01-00000000BC02}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.650{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-446A-63DA-5C01-00000000BC02}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:26.651{A4BA2B7C-446A-63DA-5C01-00000000BC02}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000258281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:27.422{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EAF536E6B57E45A41523F1C8AEDF4E,SHA256=06B6920DFDDCEBC5971376677B1DC6C849C49435D959584B557AE7C257B07750,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-446B-63DA-5E01-00000000BC02}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E05-63DA-0500-00000000BC02}412528C:\Windows\system32\csrss.exe{A4BA2B7C-446B-63DA-5E01-00000000BC02}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.991{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-446B-63DA-5E01-00000000BC02}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.992{A4BA2B7C-446B-63DA-5E01-00000000BC02}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.819{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C2E26D95A503E4A60E54A828D5A0F6,SHA256=FD01FDFA2B65C1FEAAFAD2DF2C93BA3F09A6E4F267EFCE2CE15471216535346C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.476{A4BA2B7C-446B-63DA-5D01-00000000BC02}40443588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-446B-63DA-5D01-00000000BC02}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E05-63DA-0500-00000000BC02}412528C:\Windows\system32\csrss.exe{A4BA2B7C-446B-63DA-5D01-00000000BC02}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.319{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-446B-63DA-5D01-00000000BC02}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:27.320{A4BA2B7C-446B-63DA-5D01-00000000BC02}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000111154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:28.907{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFE46D0F6B78357200EB47966526FE0,SHA256=047D7416E921853C3253F9518B2F395DD9E964AAE488D655B7AC2E04C8F27760,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:25.285{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50019-false10.0.1.12-8000- 10341000x8000000000000000111152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:28.175{A4BA2B7C-446B-63DA-5E01-00000000BC02}3552524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.991{F522A29C-3E0A-63DA-0B00-00000000BB02}6603844C:\Windows\system32\lsass.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.991{F522A29C-3E0A-63DA-0B00-00000000BB02}6603844C:\Windows\system32\lsass.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.991{F522A29C-3E0A-63DA-0B00-00000000BB02}6603844C:\Windows\system32\lsass.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.991{F522A29C-3E0A-63DA-0B00-00000000BB02}6603844C:\Windows\system32\lsass.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.990{F522A29C-3E0A-63DA-0B00-00000000BB02}6603844C:\Windows\system32\lsass.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.841{F522A29C-3E0C-63DA-1200-00000000BB02}5085760C:\Windows\System32\svchost.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000258292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.localInvDBSetValue2023-02-01 10:52:29.841{F522A29C-3E0C-63DA-1200-00000000BB02}508C:\Windows\System32\svchost.exeHKU\S-1-5-21-3145359389-666042155-3036903564-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\swiftslicer.exeBinary Data 10341000x8000000000000000258291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.841{F522A29C-3E0C-63DA-1200-00000000BB02}5081052C:\Windows\System32\svchost.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.841{F522A29C-3E0C-63DA-1200-00000000BB02}5081052C:\Windows\System32\svchost.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.810{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.810{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.810{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.810{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.810{F522A29C-404C-63DA-CF00-00000000BB02}20723192C:\Windows\system32\csrss.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.810{F522A29C-404F-63DA-E000-00000000BB02}50281088C:\Windows\Explorer.EXE{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+177a30|C:\Windows\System32\SHELL32.dll+177683|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000258283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.799{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe-----"C:\Temp\swiftslicer.exe" C:\Temp\ATTACKRANGE\Administrator{F522A29C-404D-63DA-93D1-0D0000000000}0xdd1932HighMD5=FEE7C379F3A555C5C821E872EC384A91,SHA256=1DB93EE81050DA0BA413543F9FBC388499A466792F9A54EA6F1BBDB712BA9690,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 23542300x8000000000000000258282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:29.018{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7674B695C09C4C32E72B7F1BED2611,SHA256=EC5E336F3B8E0B45C3987D6F10F8D81FF0B2B0D6CBD23DF141FCFFCDC929FCB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.983{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD99063B7A9498A3B2CA6E20B642D65A,SHA256=7BB802CCA739C9CFE5C8ABCF0F49E2A282D1EDF4B63836A47B96389F40BAFC71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E07-63DA-2B00-00000000BC02}28802904C:\Windows\system32\conhost.exe{A4BA2B7C-446D-63DA-5F01-00000000BC02}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0C00-00000000BC02}7243232C:\Windows\system32\svchost.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000111157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E05-63DA-0500-00000000BC02}412528C:\Windows\system32\csrss.exe{A4BA2B7C-446D-63DA-5F01-00000000BC02}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000111156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.734{A4BA2B7C-3E06-63DA-1F00-00000000BC02}20323092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A4BA2B7C-446D-63DA-5F01-00000000BC02}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000111155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:29.735{A4BA2B7C-446D-63DA-5F01-00000000BC02}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A4BA2B7C-3E05-63DA-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000258383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.996{F522A29C-3E0C-63DA-1000-00000000BB02}3881608C:\Windows\system32\svchost.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000258382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.993{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.muiMD5=D0764AC98CB8B21FF529D8C3011D0CCD,SHA256=1B89A64E98662FE20D02C9576634F684EF741D275779C34950F854F49B3AB84C,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000258381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.991{F522A29C-3E0C-63DA-1000-00000000BB02}3881608C:\Windows\system32\svchost.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000258380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.991{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.muiMD5=F500548BD97F4A74EF166C45C4BEAE14,SHA256=E1EAF788541A48993DD3262411C2A5E51FD32C713226C7F6E810FBE07C5833E4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.987{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\SysWOW64\drivers\en-US\fwpkclnt.sys.muiMD5=B270B714AD6B56A7069CD97C5A2CCC9E,SHA256=805762A81560E87FEF194C8182CB8D4601CB05F2952F1D3DEB6A2C1D063AB272,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000258378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.986{F522A29C-3E0C-63DA-1000-00000000BB02}3881608C:\Windows\system32\svchost.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000258377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.984{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.muiMD5=E8AB6A5A04F4803CCFA2F7CF7776EE3F,SHA256=E6349168930616E6DC36FCD0DB870056692E136C5FE0AFFDE9588BEEF8FE8A9E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000258376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.975{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\SysWOW64\drivers\UMDF\en-US\SensorsCx.dll.muiMD5=FDDC23D7C1891203992DEE2ADB397E81,SHA256=E30071E18041441AE3C17AC2AB775CFA44CEA9E6AF97E7D42C97989949B4C44E,IMPHASH=00000000000000000000000000000000truetrue 10341000x8000000000000000258375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.952{F522A29C-3E0C-63DA-1000-00000000BB02}3881608C:\Windows\system32\svchost.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000258374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.918{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.902{F522A29C-3E0A-63DA-0A00-00000000BB02}652384C:\Windows\system32\services.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.856{F522A29C-3E0C-63DA-0C00-00000000BB02}864524C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.856{F522A29C-3E0C-63DA-0C00-00000000BB02}864524C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.856{F522A29C-3E0C-63DA-0C00-00000000BB02}864524C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.856{F522A29C-3E0C-63DA-0C00-00000000BB02}864524C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.856{F522A29C-3E09-63DA-0500-00000000BB02}4201768C:\Windows\system32\csrss.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.840{F522A29C-3E0A-63DA-0A00-00000000BB02}652448C:\Windows\system32\services.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000258366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.833{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\System32\VSSVC.exe10.0.14393.4350 (rs1_release.210407-2154)Microsoft® Volume Shadow Copy ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationVSSVC.EXEC:\Windows\system32\vssvc.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{F522A29C-3E0A-63DA-E703-000000000000}0x3e70SystemMD5=C417EA0DC7EF39347AB3AFC6D9CE0A3C,SHA256=198E5F8976CB3643D7D0709793CD49F8565AEEAC7871389255C7560F497F99CB,IMPHASH=B933B302F069B1ED43D97EAA68CD7B05{F522A29C-3E0A-63DA-0A00-00000000BB02}652C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000258365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.824{F522A29C-3E0C-63DA-0C00-00000000BB02}864524C:\Windows\system32\svchost.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.824{F522A29C-3E0C-63DA-0C00-00000000BB02}864524C:\Windows\system32\svchost.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.824{F522A29C-3E0A-63DA-0B00-00000000BB02}6603844C:\Windows\system32\lsass.exe{F522A29C-3E0A-63DA-0A00-00000000BB02}652C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.715{F522A29C-3E0C-63DA-1600-00000000BB02}12922636C:\Windows\System32\svchost.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.699{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.652{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.652{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.652{F522A29C-3E0C-63DA-0C00-00000000BB02}864524C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.652{F522A29C-3E0C-63DA-0C00-00000000BB02}864524C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.652{F522A29C-3E09-63DA-0500-00000000BB02}420436C:\Windows\system32\csrss.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.652{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000258354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.643{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\SysWOW64\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{F522A29C-3E0C-63DA-E403-000000000000}0x3e40SystemMD5=F94C2242DE208AA0CD1A64187165B448,SHA256=0EF0BB79047494273B2F8B44F1080A1458DEF6DB2828AE517380D59CB29D7291,IMPHASH=DD443828EFFA4923A7206DB96293A619{F522A29C-3E0C-63DA-0C00-00000000BB02}864C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000258353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.636{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66623EBB85F5F5601FDF6D10118EA7D3,SHA256=977C94BB0B6948B13E2F42AD798270C9BC61930FB8B434F82A2243898E02A1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.636{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954A0012334B16A8E52055E2C6C06161,SHA256=2CE51CB88D92F3FB16A0BFE23F2188C4317F6BB1E9BEB733CBD64129AA3E3A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.636{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F8AD926B384B48561E7F32EF9D802377,SHA256=33543155EBF596C34EC7DD8A1B0103612853EFC188D7A25B3B74D28EF7FDE255,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.636{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.636{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.636{F522A29C-3E0A-63DA-0B00-00000000BB02}6603844C:\Windows\system32\lsass.exe{F522A29C-3E0C-63DA-1600-00000000BB02}1292C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.574{F522A29C-3E0C-63DA-1600-00000000BB02}12922312C:\Windows\System32\svchost.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.574{F522A29C-3E0C-63DA-1600-00000000BB02}12921328C:\Windows\System32\svchost.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.448{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.448{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.448{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.447{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.447{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.447{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.435{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.435{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.435{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.424{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.424{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.424{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.376{F522A29C-3E0A-63DA-0B00-00000000BB02}660824C:\Windows\system32\lsass.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.376{F522A29C-3E0A-63DA-0B00-00000000BB02}660824C:\Windows\system32\lsass.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.348{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.305{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.305{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.305{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.282{F522A29C-404F-63DA-E000-00000000BB02}50284180C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.281{F522A29C-404F-63DA-E000-00000000BB02}50284180C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.281{F522A29C-404F-63DA-E000-00000000BB02}50284180C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.275{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.275{F522A29C-404E-63DA-D900-00000000BB02}45324748C:\Windows\System32\taskhostw.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.274{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.274{F522A29C-404E-63DA-D900-00000000BB02}45324748C:\Windows\System32\taskhostw.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.274{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.225{F522A29C-404F-63DA-E000-00000000BB02}50284528C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.225{F522A29C-404F-63DA-E000-00000000BB02}50284528C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.225{F522A29C-404F-63DA-E000-00000000BB02}50284528C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.225{F522A29C-404F-63DA-E000-00000000BB02}50284528C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.225{F522A29C-404F-63DA-E000-00000000BB02}50284568C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.225{F522A29C-404F-63DA-E000-00000000BB02}50284568C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.225{F522A29C-404F-63DA-E000-00000000BB02}50284568C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.210{F522A29C-404F-63DA-E000-00000000BB02}50284568C:\Windows\Explorer.EXE{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.194{F522A29C-3E0C-63DA-1600-00000000BB02}12922312C:\Windows\System32\svchost.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.194{F522A29C-3E0C-63DA-1600-00000000BB02}12921328C:\Windows\System32\svchost.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.178{F522A29C-446E-63DA-A101-00000000BB02}59005748C:\Windows\system32\conhost.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.163{F522A29C-404C-63DA-CF00-00000000BB02}20723192C:\Windows\system32\csrss.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.147{F522A29C-3E0C-63DA-1200-00000000BB02}5085760C:\Windows\System32\svchost.exe{F522A29C-446E-63DA-A101-00000000BB02}5900C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.132{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.132{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.132{F522A29C-404C-63DA-CF00-00000000BB02}20723192C:\Windows\system32\csrss.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000258303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.132{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.132{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.132{F522A29C-446D-63DA-9F01-00000000BB02}24284376C:\Temp\swiftslicer.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Temp\swiftslicer.exe+5c555|C:\Temp\swiftslicer.exe+180c8c 154100x8000000000000000258300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.134{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic shadowcopy deleteC:\Temp\ATTACKRANGE\Administrator{F522A29C-404D-63DA-93D1-0D0000000000}0xdd1932HighMD5=AC7D85F15AF7E892847AE2DB2CCC2B1D,SHA256=969D91FFA56C80F82F893559316F6E1F12DC6C023411C43DAEDC80E8F9AC2652,IMPHASH=37777A96245A3C74EB217308F3546F4C{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe"C:\Temp\swiftslicer.exe" 10341000x8000000000000000258299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:30.132{F522A29C-3E0C-63DA-1200-00000000BB02}5085760C:\Windows\System32\svchost.exe{F522A29C-446E-63DA-A001-00000000BB02}3120C:\Windows\SysWOW64\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000111169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:30.812{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE39C6C240544DC6CA66888B2EA2528F,SHA256=77121B7CC9A0C0D62B69EF6810FF1613F67DD91ADE7A5811291AD258AC124A93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.822{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.822{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.819{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.819{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.819{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.819{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.819{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.818{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.818{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.818{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 23542300x8000000000000000258405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.609{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\NTDS\edbtmp.logMD5=F1C9645DBC14EFDDC7D8A322685F26EB,SHA256=E5B844CC57F57094EA4585E235F36C78C1CD222262BB89D53C94DCB4D6B3E55D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000258404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.478{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\NTDS\edbres00002.jrsMD5=F1C9645DBC14EFDDC7D8A322685F26EB,SHA256=E5B844CC57F57094EA4585E235F36C78C1CD222262BB89D53C94DCB4D6B3E55D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 10341000x8000000000000000258403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.471{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.471{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.471{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.441{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.441{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.441{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 23542300x8000000000000000258397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.439{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B0727747C9EC566E53A04AD1685318,SHA256=236EFF537C36D3BF9F407F62619EE8E43F804549473FF3F721F29E4F2CEDE7ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.400{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.400{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.400{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.390{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.390{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.390{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 23542300x8000000000000000258390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.353{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\NTDS\edbres00001.jrsMD5=F1C9645DBC14EFDDC7D8A322685F26EB,SHA256=E5B844CC57F57094EA4585E235F36C78C1CD222262BB89D53C94DCB4D6B3E55D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 354300x8000000000000000258389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:28.212{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52400-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000258388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.221{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\NTDS\edb00001.logMD5=28D350C51D12CF11123F531A6E940F64,SHA256=F2CE69533DDF170FC66B926CA89FB8618F7B9398FB7B3D2BD9B6C55C731D1717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.108{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\NTDS\edb.chkMD5=2A19195B6E990FB994946F52F9B45C17,SHA256=730BA43CCD1EDF83032957BB5E815FC66F1586F7B4539461755A229A1C753A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.102{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\SysWOW64\drivers\gmreadme.txtMD5=7111BFA692A22E4B3C07F1E6C6FF6F72,SHA256=10BF6E15C08C8C7F5D96B658BAB78AED86D1DE20F08E7871EEFBA0939AF11A02,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000258385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.102{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exeC:\Sysmon\7111BFA692A22E4B3C07F1E6C6FF6F7210BF6E15C08C8C7F5D96B658BAB78AED86D1DE20F08E7871EEFBA0939AF11A0200000000000000000000000000000000.txt2023-02-01 10:52:31.102 23542300x8000000000000000258384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:31.080{F522A29C-446D-63DA-9F01-00000000BB02}2428ATTACKRANGE\AdministratorC:\Temp\swiftslicer.exeC:\Windows\SysWOW64\drivers\gm.dlsMD5=7F29903CB8F5590D52DB0C9F97049A25,SHA256=3229B09B9D7D9F3F4793B0D9B34FE6ABC75CFA4A2503C0C90F43FF651BA7F2C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:31.064{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4446C668E277D3AC92F046E5D62B004A,SHA256=20A685C5305952DF4B3BFE969DC7976537C6C6F3A958C82AB22459E560B7DC07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:32.827{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:32.827{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:32.827{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:32.826{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:32.826{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 10341000x8000000000000000258418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:32.826{F522A29C-4060-63DA-E700-00000000BB02}58686068C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012A98190) 23542300x8000000000000000258417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:32.197{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456FEE16E1E0C8D6D841FF1AB7BC3C83,SHA256=9D15C04F9DA3B3D1ED45EE377758B54B7A8A1C179C656015D48747DEDBFE837E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:32.194{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2E4666C86735B47E0870402E35EA568F,SHA256=658E23C7F00815620A33338AD5F3B80442EB479B8B145228C4B9C9720039ECD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:32.133{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656D94CFDCAAB95BEF16E15103B732B3,SHA256=48DF504E03B8578B1B88EDF3CC0D640C9A1E1F90F2E071B61E18FA46189AA893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:33.029{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FDAD5B3703A04CD8E801AD28FACFCE8,SHA256=F72ECE9F152FA66C36DBFD80BB729BE473CB8718AFE7A799AE3CC814ADF0C8A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:31.239{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50020-false10.0.1.12-8000- 23542300x8000000000000000111172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:33.232{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E9A53845D7E1C3E45FAC0F6CD7AF4FC,SHA256=9431C012896BC024FE4298FE7F0474F3D2AC9F18920EE3A7227088CDD2B1ACF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:34.448{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E0C-63DA-1500-00000000BB02}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:34.447{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E0C-63DA-1500-00000000BB02}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000258425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:34.447{F522A29C-3E0C-63DA-0C00-00000000BB02}864896C:\Windows\system32\svchost.exe{F522A29C-3E0C-63DA-1500-00000000BB02}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000111174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:34.334{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A89576A017661C93B20FC507C9FC4F0D,SHA256=BF4603426E3070DD3C497594DD174C63B713CAE5F8956E3D992AFC9825DA7E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:35.832{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE1A532A30033498504D780AE081D81A,SHA256=6F107543BAD8140456F16CEF7727FB5FF4D6E9B0E61C22CEADEF2BB307304095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:35.832{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F64C636832C96A2ABFDAFB2BAF1E7A,SHA256=6EE6FDAD2F31BB8337237662098B79441AD7AC2C985CAE3B8E8C0518EC4DCD27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:35.434{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC28DEAD2EC6A6177936E8E7EA72C3C,SHA256=0E2877D621769B5A031782F6B152B56EF723A9659FDB25D5085FD4BD3A53B40F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:34.099{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52401-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000111176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:36.530{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B516DD3F32F603CB38B6FB52003C005C,SHA256=C0F2F451CBB896AFD9CDC7DBB7247462A97DFBFEF4AFEFBB37FBB47BB095F2B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.950{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2900-00000000BB02}2620C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.948{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2700-00000000BB02}2580C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.939{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2600-00000000BB02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.929{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2500-00000000BB02}2496C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.925{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E15-63DA-2300-00000000BB02}2352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.919{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0D-63DA-1B00-00000000BB02}2032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.912{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1700-00000000BB02}1388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.874{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1600-00000000BB02}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.866{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1500-00000000BB02}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.854{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1400-00000000BB02}1064C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.849{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1300-00000000BB02}936C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.841{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1200-00000000BB02}508C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.828{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1100-00000000BB02}444C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.817{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-1000-00000000BB02}388C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.799{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0F00-00000000BB02}92C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.791{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0E00-00000000BB02}104C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.772{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0D00-00000000BB02}920C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.764{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0C-63DA-0C00-00000000BB02}864C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.720{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:37.717{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E0A-63DA-0900-00000000BB02}596C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 23542300x8000000000000000111206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.777{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF554AFAC85CF959EBF0D76D493D3B3,SHA256=634D474E37B879C87AD106ACA02A8434B3C1801AFFB86D37DBF977B117311ED2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000111205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.399{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E80-63DA-8200-00000000BC02}584C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.397{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.396{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.392{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E09-63DA-4200-00000000BC02}1880C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.392{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E08-63DA-4000-00000000BC02}1748C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.389{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E08-63DA-3C00-00000000BC02}2976C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.388{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2B00-00000000BC02}2880C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.387{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2600-00000000BC02}2564C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.385{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E07-63DA-2500-00000000BC02}2332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.383{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-2300-00000000BC02}1400C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.378{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-2000-00000000BC02}2040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.374{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1F00-00000000BC02}2032C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.369{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1E00-00000000BC02}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.366{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1D00-00000000BC02}1972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.360{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1900-00000000BC02}1816C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.346{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1700-00000000BC02}1180C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.343{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1600-00000000BC02}1172C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.310{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1500-00000000BC02}1028C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.303{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1400-00000000BC02}964C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.298{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1300-00000000BC02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.292{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1200-00000000BC02}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.284{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1100-00000000BC02}968C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.279{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-1000-00000000BC02}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.275{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-0F00-00000000BC02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.268{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E06-63DA-0E00-00000000BC02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.262{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0D00-00000000BC02}776C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.256{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0C00-00000000BC02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.250{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0B00-00000000BC02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000111177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:37.248{A4BA2B7C-3E06-63DA-2100-00000000BC02}8762844C:\Program Files\Aurora-Agent\aurora-agent.exe{A4BA2B7C-3E05-63DA-0900-00000000BC02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013039150) 10341000x8000000000000000258456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:38.429{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3000-00000000BB02}2856C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:38.426{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2E00-00000000BB02}2692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:38.423{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2D00-00000000BB02}2656C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:38.422{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2C00-00000000BB02}2648C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:38.416{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2B00-00000000BB02}2640C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:38.410{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-2800-00000000BB02}2612C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 23542300x8000000000000000111208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:38.877{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EBD43F4DCAED416390C870783BE7B6C,SHA256=F534ED3D64FB3512E07B027B3515A0E1A2DAF2F97777A68D413122B7C804E9C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:36.313{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50021-false10.0.1.12-8000- 23542300x8000000000000000111209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:39.854{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291D28582C142954EA725AD4930ED910,SHA256=0EBD375DBB4177422F60DC40AF33A106010150554E62D60281DB0F100960FCBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:40.957{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E2D-63DA-7B00-00000000BB02}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:40.951{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:40.946{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1D-63DA-4A00-00000000BB02}3800C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:40.944{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1C-63DA-4500-00000000BB02}3616C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:40.942{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1C-63DA-4400-00000000BB02}3596C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:40.941{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1B-63DA-3800-00000000BB02}3248C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:40.434{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3300-00000000BB02}2192C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:40.433{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E1A-63DA-3100-00000000BB02}3028C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 23542300x8000000000000000111210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:40.948{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3529A1C55D592AF9222C4E7D19F9FF93,SHA256=2C1A15DF6AC85C2C6A9D05D7D560E001722C9EE8899EF1E0E558860D2668C34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.560{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C72B8454329310C6AC170E5683AB57,SHA256=B108AC1008897BE5EAB613E44792BB5CAC9AA7D952D41F2BC7C47809F4DF86DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.516{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.516{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.516{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.516{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.515{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.515{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.511{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A301-00000000BB02}1928C:\Windows\system32\vssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.508{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446E-63DA-A201-00000000BB02}1100C:\Windows\sysWOW64\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.507{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-446D-63DA-9F01-00000000BB02}2428C:\Temp\swiftslicer.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.506{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4380-63DA-7C01-00000000BB02}4804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.505{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4380-63DA-7B01-00000000BB02}5680C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.492{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4050-63DA-E200-00000000BB02}4992C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.481{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-4050-63DA-E100-00000000BB02}3060C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.451{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404F-63DA-E000-00000000BB02}5028C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 354300x8000000000000000258470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:39.161{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52402-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000258469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.443{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404E-63DA-D800-00000000BB02}4508C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.433{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404E-63DA-D500-00000000BB02}4408C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.428{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404C-63DA-D200-00000000BB02}2060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.425{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-404C-63DA-D000-00000000BB02}4032C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 10341000x8000000000000000258465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:41.420{F522A29C-4060-63DA-E700-00000000BB02}58685740C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-3E94-63DA-8900-00000000BB02}2244C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A2C6190) 23542300x8000000000000000258487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:42.249{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D9F06B24A3059D43E0EDB8573516A58,SHA256=D1BFBAB78464CF7B298F34548E0526C6E4047E682DE15B1ACB28DC9352DF28E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:42.219{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4109D09C6EEE7642CA7F89F7FF2BC1,SHA256=D8674530931282F83BB902AB7DF47C902A2FCEDE8D9504A87D8DC3C6CECF855D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:42.037{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302BDDF1B0D37311CD9F9F53EB0B502A,SHA256=675EB0AA361CA62A83ED87621DF80F9E760A36664510798345430A5511E43D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:43.023{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F30AFDA3EE0B85BE1410202476D06A,SHA256=1E68DC7FE681CBA715848460DA143DD5BE8A63D61FAA34EFCF0748CB833E98CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:43.122{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D01BB640F7569D943692CC9A1413177,SHA256=91A7C74836C5CDF6E1DD3424C4BAEFF029F8582A0B864A60FD112B17766F123A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:44.633{F522A29C-3E2D-63DA-7B00-00000000BB02}3992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02BD83E90CD57FAB2D58A81F45990F2D,SHA256=CA37E44F9A22ADA5F199C24AA496CEC9456C02C06E824321E2C29DE5874BD268,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000111214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:42.212{A4BA2B7C-3E11-63DA-6100-00000000BC02}3248C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-306.us-east-2.compute.internal50022-false10.0.1.12-8000- 23542300x8000000000000000111213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:44.219{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A106D0DA5C252E55BB53F0F599191A31,SHA256=6774946337F41058B1D4ECEB87AE321DD73C32428465E19E573622F479E18FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000258490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:45.552{F522A29C-3E1A-63DA-2E00-00000000BB02}2692NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A34A13609477878FC17DC54CC2405225,SHA256=834E4F7CBDA63F38043083D96E61C4C807BB84C1AD85E5E783798AF0364E8C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:45.334{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D14229943A622355D54DB0BCB4D1A6,SHA256=C5FFA19C3B6E505EDE6436BA23708FB4FF145731C5E14CD097D52E4E9A442277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000111216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:46.420{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE42126198A8ACBBC1BE2AD7388F172B,SHA256=4926E5805F043335096C912D592E4508051BBBE8C921F0FF181F7135FF9B7880,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000258493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:45.055{F522A29C-3E26-63DA-7100-00000000BB02}3240C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-865.attackrange.local52404-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000258492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:44.758{F522A29C-3E0A-63DA-0B00-00000000BB02}660C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-865.attackrange.local52403-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-865.attackrange.local389ldap 354300x8000000000000000258491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:44.758{F522A29C-3E1A-63DA-2600-00000000BB02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-865.attackrange.local52403-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-865.attackrange.local389ldap 23542300x8000000000000000111217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-306-2023-02-01 10:52:47.494{A4BA2B7C-3E18-63DA-6D00-00000000BC02}3672NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01962F77A2139B296B5619B8A29B8056,SHA256=2571408D598F230F94F6A6D79DC4D92AFB7050F68C37CCB7DA03D4EC0B0D9B05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000258512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.617{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-447E-63DA-A401-00000000BB02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.617{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-447E-63DA-A401-00000000BB02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.617{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-447E-63DA-A401-00000000BB02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.616{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-447E-63DA-A401-00000000BB02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.616{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-447E-63DA-A401-00000000BB02}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E00190) 10341000x8000000000000000258507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-865.attackrange.local-2023-02-01 10:52:48.616{F522A29C-4060-63DA-E700-00000000BB02}58685988C:\Program Files\Aurora-Agent\aurora-agent.exe{F522A29C-447E-63DA-A401-00000000BB02}