10341000x800000000000000082202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:06.997{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:06.990{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1500-000000009402}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:06.975{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1400-000000009402}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:06.970{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1300-000000009402}352C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000032804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:06.185{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E872ACDE9CD8D393E519FC8D185D989E,SHA256=FB2159CFD397AF895A1E668F99A7072ECC6BDC76963DFA0BE1506A49EB30560A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:06.962{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1200-000000009402}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:06.954{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1100-000000009402}476C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:06.944{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1000-000000009402}400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:06.930{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0F00-000000009402}356C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:06.922{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0E00-000000009402}1000C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:06.909{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0D00-000000009402}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:06.900{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4001-6387-0C00-000000009402}840C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:06.851{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:06.847{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0900-000000009402}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000082189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:06.749{89C4FCAF-4010-6387-2100-000000009402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0ad278f1b123f456b\channels\health\respondent-20221130113546-091MD5=4367FEF3D0B44A451D14676E8838B8C6,SHA256=A57E514C51A9299EE718F8B114501F94A24E2C8835ECD359B7D2BBD0A7C75EC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:02.469{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50739-false10.0.1.12-8000- 23542300x800000000000000082187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:06.393{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71E6DA41B8B3112D93BB47152859BD28,SHA256=8DD13F571994A0E55DBFC30C4B488A64F24EF2F12F3CEDD45E20A45C6D4A5CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:07.259{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159C9DED93DE7A3A98E0C2F0E3A6304E,SHA256=E345631E2F3320D3AF03EC6B2B69A3FDC882BA3133C731B4752C6452406407FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:07.748{89C4FCAF-4010-6387-2100-000000009402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0ad278f1b123f456b\channels\health\surveyor-20221130113544-092MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:07.484{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2900-000000009402}2684C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:07.479{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:07.473{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:07.470{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2300-000000009402}2520C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:07.057{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:07.055{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2100-000000009402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:07.053{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2000-000000009402}2464C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:07.043{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:07.035{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1E00-000000009402}2376C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:07.031{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-400B-6387-1C00-000000009402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:07.030{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4003-6387-1900-000000009402}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:07.028{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1700-000000009402}1428C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000082203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:07.018{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F730C8EF1867B6A4AF4460DB060C32C0,SHA256=E2C8C9FE6653D2734C14FDB0709B0B48B25B9426C9C706218F7C3CF347B21EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:08.455{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46BAFB9832A1B6A06CD9B658C1CE6DB5,SHA256=1839DC3D265F5E4C6F0774172414EB2F357D8C381BB50CE8FE5A5DEFA5B6AF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:08.186{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3ECEB4CA1ADB0FB3025FC1B174F11C,SHA256=4CDFC067067DA3A54226BB482FD4F87496446F148D00CE7986CA9B44F70ADDF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:09.543{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D695FAA767BB16A63D182AF21E7F76B2,SHA256=0FB412F4B21EFEC81167F173EA836EFBEACF16402FF3138E7A18738C4E8B5555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:09.535{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4011-6387-3100-000000009402}3220C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:09.533{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2A00-000000009402}2904C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000082218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:09.232{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D84D35E53EAE1FD01F959D3A4AAFD9B,SHA256=2F1A7088C423BE50D22F59D0A3587FA77B290AD92959D264777C3B10A5788CD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:06.522{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50694-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000032809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:10.637{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4390E21E696C709E4686DC8859262B8F,SHA256=E1A2399E530CA06959802959807AAF89011B420A9D2D492FB6C06BC5CE1ACBAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.864{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2F387FC0C40A3CE69118CC318EE766,SHA256=3B88DA3EBE4A1309CD1E912F33F47395A444DA4496BE2E382BDF5D633E115439,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:07.573{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50740-false10.0.1.12-8000- 10341000x800000000000000082254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.281{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5497-6387-FC07-000000009402}5472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.276{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FB07-000000009402}6060C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.271{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FA07-000000009402}6804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.263{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-F907-000000009402}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.256{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5494-6387-F807-000000009402}6900C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.243{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F1-6387-DA07-000000009402}952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.242{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D707-000000009402}1396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.239{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D607-000000009402}6984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.235{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D507-000000009402}5132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.225{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D307-000000009402}2424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.220{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D207-000000009402}4456C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.191{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.187{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4AC9-6387-B406-000000009402}4460C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.185{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-AA06-000000009402}6936C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.185{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-A906-000000009402}5612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.183{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A56-6387-A006-000000009402}5072C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.170{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C7-6387-1906-000000009402}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.150{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.113{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.104{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FD05-000000009402}3232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.087{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FA05-000000009402}3028C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.075{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B6-6387-F605-000000009402}576C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.073{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B5-6387-F405-000000009402}4520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.069{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-409C-6387-FF00-000000009402}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.066{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.065{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B900-000000009402}3188C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.061{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.059{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408A-6387-AA00-000000009402}2556C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.058{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7700-000000009402}2080C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.057{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7600-000000009402}3832C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.055{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7500-000000009402}500C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.054{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7400-000000009402}420C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.054{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3E00-000000009402}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.050{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3A00-000000009402}3484C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000032810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:11.724{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7BB7C3631A84F5DF733F2330901F24,SHA256=FEB6DC3A8F97A9BDCB8E81E8AE78E9E6CBC25A462B71D1F94EC3C9565315818C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:11.973{89C4FCAF-408D-6387-B500-000000009402}4948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=75B55EA0C6DD224E71E588081A876538,SHA256=D68BFA6F8DD7813E5BF73DAB1FA1C75178EE825D1972714ACA959E6B3481B0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:11.617{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CB18A24EAB2CB0D35776F65AE5EF1A,SHA256=EAA919EDAF59E8792A28C8BE2493C47F19707CB33DA369BECD6FD85FF3FF1673,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000082268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-SetValue2022-11-30 13:10:11.295{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000082267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-SetValue2022-11-30 13:10:11.295{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0056c09e) 12241200x800000000000000082266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:11.295{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x800000000000000082265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-SetValue2022-11-30 13:10:11.295{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d904b4-0xb178bf1d) 13241300x800000000000000082264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-SetValue2022-11-30 13:10:11.295{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d904bd-0x133d271d) 13241300x800000000000000082263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-SetValue2022-11-30 13:10:11.295{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904c5-0x75018f1d) 13241300x800000000000000082262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-SetValue2022-11-30 13:10:11.295{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000082261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-SetValue2022-11-30 13:10:11.295{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0056c09e) 12241200x800000000000000082260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:11.295{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x800000000000000082259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-SetValue2022-11-30 13:10:11.295{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d904b4-0xb178bf1d) 13241300x800000000000000082258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-SetValue2022-11-30 13:10:11.295{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d904bd-0x133d271d) 13241300x800000000000000082257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-SetValue2022-11-30 13:10:11.295{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904c5-0x75018f1d) 23542300x800000000000000032811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:12.819{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0274A0E7AF190940AA7F1AB212F96A25,SHA256=F241577116F9D21A4365E046468A97877FE85B5C9D2AD325B71E77D76E417738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:12.714{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8F67784660AA821EE899114F168ACA,SHA256=800EEAE5E0A37D4B05F271944FCA33E4F8BE1D0D73D90554F0ECDFAC33745862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:13.905{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96E98B9C78E9D44CF88F2F1C8A6FFD8,SHA256=70CF12F1B756A793A789AAAD9CD3469D132CF62D23A7030CC00303ECCEBEEB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:13.844{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152E4EF5ACF70876BACC94CC99C4FC04,SHA256=F94900AF25167DB7CD7F0F3AFCAB65618A66A6DF657B6982FFA0CFCC614D02F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:13.532{1060B4B3-42DB-6387-9B00-000000009502}2808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=75B55EA0C6DD224E71E588081A876538,SHA256=D68BFA6F8DD7813E5BF73DAB1FA1C75178EE825D1972714ACA959E6B3481B0A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:10.354{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50741-false10.0.1.12-8089- 23542300x800000000000000082274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:14.915{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB51159F88C9876649C42DFC3ABBEA9B,SHA256=AC6B19FB76FE322A274131DDA3CD7F9150D650F74602622CB89AF6972200A172,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:12.842{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50696-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000032815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:12.551{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50695-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000032814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:15.001{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ADDC534EE552A66DC02778C4F482777,SHA256=44773F9B082A38603E5B58099AC8D12744CF0871CB8F71B90D3164FC7E0E0F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:16.096{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C50FC12E08B9DCD56C6E0867E8AF730,SHA256=1F85D8F1B51DD28049A3CEE71DD44F4D980A4CBAB2BB58DE4096D88F6AC134C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:13.575{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50742-false10.0.1.12-8000- 23542300x800000000000000082275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:16.013{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9BB4A518B0C353B166F516051AE995,SHA256=044B837A22DEFC257755A0A6FF0B0CDEDCFE831334E9A948CFBF69B07B545F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:17.322{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD289EEA097555D3164EA3EFB49CA9B3,SHA256=C023B5E7385735FF3339871870F719425F8104FF692F9A85844D4DDF641290FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:17.071{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE887B1748C03B4A04640767CA7F108,SHA256=FA105E2FBBE62B43560CFCC1F3CDE0A6CE6EBA53E6999A4B06B886A02FF7F315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:18.410{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE7DAC539FA53E764AB5949B860A65F,SHA256=A72B1AED7C858CF18A846A1A9C5F7AD59A7AB1B0F2BB7D31FEF2023B0C3A914F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:18.156{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F2525E8283CFA920B5C79A5F740BCB,SHA256=C28E777122223A819982F4FC7B0905C197410746424889BA4DD1EC0A6552719F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:19.495{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4414F8245148356E4F6D698BF2326A7,SHA256=D3E5A11E92AFE2428C87C37A3A0D9B38A2BF8D364136C942AE66BA60F0AEB215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:19.289{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7001270FA2012480B873C41C2F6C75,SHA256=E0126FC284BB04129A000727CFB6260A32BB02E99ACA327BAD9D893E51A0A789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:20.583{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2DB709604F33E5FCE690DD38D1CFAF,SHA256=3CAD5267E515B511CF9E3BB7BDC0F0DAB162B75E02E9D7A496CD2527A19E3670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:20.357{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB26F5B41B7F390E7E27D0070D01497,SHA256=5716A20F72A2B62A5F5BAAD7D7EBFBA6AB92F2CC44633EDB2018F388EBA9FBD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:21.676{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D031207B1205B03DE49F0DCA5B7F3F,SHA256=E29B414C6DB138F849EA212529FC8D3E6CF6F10EDE9B9EDE19B77D62EE33E4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:21.490{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C1D358C16008CA543D2F365C090A04,SHA256=FEE53F7C79B47C349F340042D2558AA5DEB732C0109F9C71AABE1CE1195A258A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:21.447{1060B4B3-42DB-6387-9B00-000000009502}2808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4930BA3CBCC510EB14CEA903EEB574B2,SHA256=2CB76208E92AC48673855D973CF1628027DEF25E63717FFCD4FE2DED24561C26,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:18.371{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50697-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000032825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:22.755{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDF543E1023C49FB84587E2A12B0337,SHA256=630E5F275DA3EDC814FEEB9DDF90351BFE30593DC97D019C831A26DC20D8A60B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:19.534{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50743-false10.0.1.12-8000- 23542300x800000000000000082282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:22.605{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C378C408E6BC1700BEB9C92D9848CAC3,SHA256=4B8FE6D66AD04127491EE2458C1E564F605C27C0985BDE6CDB51BBCB7DBE4609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:23.955{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FFA3DA39B645CC8542B4AE66126251B,SHA256=ABD7905FCC8AF33D5EAE52EF396EA4C99CE7382EE49E3A456791284745817B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:23.708{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E97413A93A0147C4394763B8F74D5F,SHA256=B7CC2E7410F1D35E4D892FD77B56D504E8DEFAE0D9A9D6382F48639A57003205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:24.846{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=679E17E37BD5A10256FC3BD2FA78B8B1,SHA256=797FF38D5BF35B58F3453D9DF79159D1DCE3F7820E7F16B3CC77DAC1171BD168,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.377{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-480B-6387-D603-000000009502}3964C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.373{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E9-6387-E800-000000009502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.370{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.360{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A200-000000009502}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.359{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A000-000000009502}2456C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.355{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.355{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5C00-000000009502}4048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.354{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5B00-000000009502}4036C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.353{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3C00-000000009502}2992C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.345{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3800-000000009502}2700C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.343{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4262-6387-2D00-000000009502}2764C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.339{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-2000-000000009502}2236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.336{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1F00-000000009502}1432C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.335{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1E00-000000009502}2012C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.333{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1C00-000000009502}1984C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.323{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.314{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1800-000000009502}1792C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.312{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1700-000000009502}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.296{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1600-000000009502}1244C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.290{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1500-000000009502}1128C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.281{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1400-000000009502}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.274{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1300-000000009502}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.264{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1200-000000009502}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.238{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1100-000000009502}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.230{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1000-000000009502}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.222{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0F00-000000009502}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.214{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0E00-000000009502}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.208{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0D00-000000009502}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.200{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0C00-000000009502}708C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.188{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000032827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:24.184{1060B4B3-4261-6387-1D00-000000009502}20042484C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0900-000000009502}552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 23542300x800000000000000082286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:25.962{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA1A9A2025EDCBD807D2F9A715F3030,SHA256=24066965BC8BB9107A93539009F99E27CB74F1E4E88BB27656D63A391AD3F428,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:23.436{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50698-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000032858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:25.208{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F7142841A09C9742A7B876950CAE2E,SHA256=43D4B5DA7FEC1EC43D28850EAF0203B8E958E55B09E7F2DCCCEF538E30471756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:26.452{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D501CE4A665703D1FEE5E8E9EB13957,SHA256=19CE20E42C89BAAE0985AF7B69080031B8A5CDCA6B1CF8DFE8AC4FC5422E71AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:26.992{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1400-000000009402}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:26.986{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1300-000000009402}352C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:26.975{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1200-000000009402}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:26.965{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1100-000000009402}476C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:26.954{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1000-000000009402}400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:26.943{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0F00-000000009402}356C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:26.936{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0E00-000000009402}1000C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:26.926{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0D00-000000009402}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:26.913{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4001-6387-0C00-000000009402}840C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:26.860{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:26.852{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0900-000000009402}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 23542300x800000000000000032861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:27.529{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F54221C2DCA90220CBCE931EC13E2FF,SHA256=64DEAE925D14B5C26D4473D3E2E72DADD264A92DE12E5D451C3A798BBAAE32C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:24.539{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50744-false10.0.1.12-8000- 10341000x800000000000000082312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:27.555{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2900-000000009402}2684C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:27.550{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:27.545{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:27.542{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2300-000000009402}2520C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:27.089{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:27.088{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2100-000000009402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:27.086{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2000-000000009402}2464C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:27.076{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:27.068{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1E00-000000009402}2376C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:27.064{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-400B-6387-1C00-000000009402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:27.064{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4003-6387-1900-000000009402}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:27.062{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1700-000000009402}1428C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 23542300x800000000000000082300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:27.058{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E18E4796A08BDE29817EE24C87A4756,SHA256=F7397720C8F57287B8CBA1F06BC0F29D17DA0A2E303F86774D1C5670448BD50E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:27.014{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:27.008{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1500-000000009402}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 23542300x800000000000000032862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:28.820{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1661BAB232C35B1358B3BEDF396A52F,SHA256=5620AA17CC112CEB425F5EB39BDE774701C40C476CFFC56C0670548C0312494E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:28.110{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2A46E06A6296365F4FFD91DD157B300,SHA256=63ECCFBFF487E76DC8525D716B68D9BDE847DF25FEB1A1CCD84FD47178CDFA59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:29.597{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4011-6387-3100-000000009402}3220C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:29.595{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2A00-000000009402}2904C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 12241200x800000000000000082338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:29.461{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000082337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:29.461{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000082336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:29.461{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000082335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:29.461{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000082334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:29.461{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000082333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:29.461{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000082332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:29.461{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000082331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:29.459{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000082330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:29.459{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000082329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:29.459{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000082328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:29.459{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000082327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:29.458{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000082326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:29.458{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000082325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:29.458{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 734700x800000000000000082324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:29.455{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000082323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:29.454{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000082322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:29.452{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000082321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:29.450{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 12241200x800000000000000082320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:29.450{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000082319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:29.450{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000082318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:29.449{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000082317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:29.449{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000082316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:29.447{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:29.211{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61A0728F4087707E79F98A83190884E,SHA256=BFDAE26C7DA144B64714D64E63A792C7443D96BC556AC18890FE15B4B1273D8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:30.015{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3E60323604371259D83CA1062E201F,SHA256=1EACD1484EFBCB4DAA0BE867BC9E4755DCFF29A976C7AA544CB06647705FC334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.547{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5E9391A40B05D513B998CE949D6F3F,SHA256=FB614E532B3CA1ADA14A33AD2DE6A7C61D3C408556130047B0CAF50E45EEA563,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.388{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5497-6387-FC07-000000009402}5472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.384{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FB07-000000009402}6060C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.381{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FA07-000000009402}6804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.372{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-F907-000000009402}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.367{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5494-6387-F807-000000009402}6900C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.356{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F1-6387-DA07-000000009402}952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.351{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D707-000000009402}1396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.345{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D607-000000009402}6984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.335{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D507-000000009402}5132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.311{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D307-000000009402}2424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.306{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D207-000000009402}4456C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.268{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.265{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4AC9-6387-B406-000000009402}4460C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.264{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-AA06-000000009402}6936C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.263{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-A906-000000009402}5612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.260{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A56-6387-A006-000000009402}5072C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.243{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C7-6387-1906-000000009402}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.219{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.172{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.162{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FD05-000000009402}3232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.149{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FA05-000000009402}3028C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.141{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B6-6387-F605-000000009402}576C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.138{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B5-6387-F405-000000009402}4520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.134{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-409C-6387-FF00-000000009402}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.131{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.129{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B900-000000009402}3188C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.124{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.120{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408A-6387-AA00-000000009402}2556C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.119{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7700-000000009402}2080C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.118{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7600-000000009402}3832C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.117{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7500-000000009402}500C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.116{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7400-000000009402}420C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.114{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3E00-000000009402}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000082341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.111{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3A00-000000009402}3484C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 354300x800000000000000032865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:28.531{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50699-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000032864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:31.100{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A0BC646A1A1D2A6532E75C7654D550,SHA256=58D9DADB2F9A6BB7342F6CFB4EF8907095D19AA2D035FC1B1403091EE5E886E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:31.396{89C4FCAF-408D-6387-B500-000000009402}4948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C121745E317CE9EF48B3841871BE01FE,SHA256=F13EFD72EEE12830CB7709D199E433A4D49D4ADB08554D4069B5545D8CC81AFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:31.347{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0F53C7D374252E69F21D0765C809AB,SHA256=0CFF685B5EBA7AE21BDF3F15C975AF9599957DC950BCC579219BC30A38193708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:32.159{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96D058A6DC8968CA64D37304D19A95D0,SHA256=5A3B7F113E369635BCA381FC95F60F29D78312AB8EEBF3862935C0B25A550056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:32.694{89C4FCAF-4002-6387-1100-000000009402}476NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F7A5DA608A6E8853E55B431F76B7D66C,SHA256=F9E961875F68B88F8828B85FFF6924FF7DCD8B21B52A3917F63A095B8B5F0272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:32.462{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA2C9E91E6B1DD7134C8F6D117765CE,SHA256=618CBCA58C72C068CB31DF2897E685DCA2E0DC78BE8BF4BA59185A4CBA152565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:33.262{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E3FBDD829B53C87269A813DBECC0A0,SHA256=CA3E0E4313580A0E96BA41F1DD4BD561B16401DE2616CCA3806AD020CD9B8989,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000082387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:33.947{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXEHKU\S-1-5-21-3047780831-3224000367-1164970141-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 13241300x800000000000000082386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-SetValue2022-11-30 13:10:33.947{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXEHKU\S-1-5-21-3047780831-3224000367-1164970141-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\308046B0AF4A39CBQWORD (0x01d904bd-0x2161029b) 12241200x800000000000000082385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:10:33.947{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXEHKU\S-1-5-21-3047780831-3224000367-1164970141-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x800000000000000082384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:33.947{89C4FCAF-46B9-6387-0806-000000009402}48484916C:\Windows\Explorer.EXE{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+d6700|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF80151065638)|UNKNOWN(FFFF8B320D9E7E18)|UNKNOWN(FFFF8B320D9E7F97)|UNKNOWN(FFFF8B320D9E2621)|UNKNOWN(FFFF8B320D9E3FEA)|UNKNOWN(FFFF8B320D9E22A6)|UNKNOWN(FFFFF80150D79603)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d9f5b|C:\Windows\System32\SHELL32.dll+be54a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000082383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:33.947{89C4FCAF-46B9-6387-0806-000000009402}48484916C:\Windows\Explorer.EXE{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+d61e1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF80151065638)|UNKNOWN(FFFF8B320D9E7E18)|UNKNOWN(FFFF8B320D9E7F97)|UNKNOWN(FFFF8B320D9E2621)|UNKNOWN(FFFF8B320D9E3FEA)|UNKNOWN(FFFF8B320D9E22A6)|UNKNOWN(FFFFF80150D79603)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d9f5b|C:\Windows\System32\SHELL32.dll+be54a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:33.947{89C4FCAF-53ED-6387-D107-000000009402}6412ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF57191e.TMPMD5=2A74222BB9A050603C32347D7540F192,SHA256=16FE989BA86F53383D582DD4DF278E294503866089C587E1B68376F6FB39FE8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:30.539{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50745-false10.0.1.12-8000- 23542300x800000000000000082380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:33.563{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748B777F9B04AA5A04F0F400E2DF4D44,SHA256=EF7734EAAAFEE1C5CAD7CB41BFB94F89F0A6966AAFB39937DD5A058FB0669907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:34.544{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F514A714DA9D29332BAAA141585DF5D7,SHA256=B2CFD04A5012FC52834FE0ACD81D238F2667C8C7451A86323249EDA878D27502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:34.679{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B200C34545CAEF01FD452577938DA1E,SHA256=10083F604B151BD771D0A40389EBF1EC222D52F3F98C21C8EF8D85D09DDB70A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:35.737{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F778E97E9CA097A12188A3A9E4A875,SHA256=B817C713EF966DE6A20374DA6F58C64A0D960096B4B1515A2272A326F5C4C899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:35.811{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D74DEEAB2F69B51941CC753BBF017A5,SHA256=FC014E47BD4687FF2DBCB659E409DD46553E96A9A4C603CB6C8641C8207ACDD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:36.817{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2883B8881F5F4B4480934F53D5895748,SHA256=4F6E74E559302C1F5D678B977C0DE718B4E3EBA43CC15EFD3445497D71D7E839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:36.928{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65CC5D8B7466FC98A2319159476C5B10,SHA256=F81F020F2B955BE3D944DA783A61A443B729A5339B6E8FFF50CA76B1FC7D4D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:37.885{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA447A380418F5374E2EE09769DD5551,SHA256=20B0865EFFBEE9A7C414FF5B5F83E371565E2D8DDE135A772F5695650729517F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:34.409{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50700-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000082391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:37.947{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE45CEAB16D0355A1466D9B888C1A87,SHA256=4AAA5F895E9CCE62FBB22199A47E2E6F273A6ADB4802DB7A82CD12A7B984DC25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:38.878{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5106C8E934535510037EBD8309C1A7DA,SHA256=2036032D054B8411A079645B8F728CAD9A355D6A744B746418A145D396911C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:38.565{1060B4B3-4261-6387-1200-000000009502}988NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D9A600040E8D6DF0DED96671E3551265,SHA256=8AE146126C55DA459EF4F31BACCB4CAA108D7EBFF0F3E60D801044010B1C05CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:39.968{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0296F81CC5AA01212FD0CDB45383BAFA,SHA256=9FA4AE81B4FE320E304E102FF5475DB94BB70ABD3DA8D1C7688646E536F98AD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:36.439{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50746-false10.0.1.12-8000- 23542300x800000000000000082392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:39.080{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C0015F1C43C525A4691BB81EF828E93,SHA256=638038DCBFD6E23FA44B3B7E95E28A902CD8CBA8771AB37D4378C1D038B7E053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:40.198{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEC7710695B522D1BDFD20251C6F401,SHA256=349F2ACA8BE9A371B48F7A196E8BA56B323E0CD828582A9930DF19B845BBAFD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:39.568{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50701-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000032876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:41.048{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F229E7658F5F4F740C93F0DFA403A5,SHA256=5A9B7D4FB16E043DDCBF65D14BFA34D68792AFC597EE5D37CF4E1A30381C1B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:41.296{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F75510379CC44BBA794B988D92BBBDA,SHA256=A61C4C8A7C5AD6E8D3384F7BC017639482061EAE4E3D49A5823BDF62F2289A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:42.466{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C3B529045224AE462CDE7CAF0E5E956,SHA256=24F90C60819F4455776BA1713A6C765D3DD16E21A4006C6545E41641BB29C2AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:42.398{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3239E3A457DF71B59DCBA5FBE090B5B,SHA256=F7DE025ECAA7ACDA3C040A2B000B32B762D49CFB7A586E6BAD21C66F31517FD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:42.119{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF413CB63628B77F6A9CE59BFE32B47,SHA256=FCB926103242E20FBC7A86A2333460DFBFE6BD5FCD754B0F9941F5746CAE6E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:43.497{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27A38C8EBC80569AA745C0B16B19929,SHA256=731BCEF7D996D63081919936E4C7B0C0DD0BEBC11BEA5FB5C267E85AED63328B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:43.207{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=185A6B6AC30214BD554D9CB3FA6067CB,SHA256=FADADDA1EDC24B879B504143F5A36E83DA422B75C12DA7DD4B64FB414B456D70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:44.681{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E3F47527E33D1AD4DA76A390B0CC16,SHA256=FE96CE540B74C4D5D05D8EEABBA512915C0A668A9FCE29BAB5F8F3860221CACD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.386{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-480B-6387-D603-000000009502}3964C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.384{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E9-6387-E800-000000009502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.381{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.379{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A200-000000009502}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.378{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A000-000000009502}2456C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.373{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.372{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5C00-000000009502}4048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.371{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5B00-000000009502}4036C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.370{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3C00-000000009502}2992C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.367{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3800-000000009502}2700C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.365{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4262-6387-2D00-000000009502}2764C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.363{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-2000-000000009502}2236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.361{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1F00-000000009502}1432C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.359{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1E00-000000009502}2012C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.355{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1C00-000000009502}1984C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.342{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.334{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1800-000000009502}1792C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.327{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1700-000000009502}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.310{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1600-000000009502}1244C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.304{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1500-000000009502}1128C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.291{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1400-000000009502}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.278{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1300-000000009502}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.271{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1200-000000009502}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 23542300x800000000000000032888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.271{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB22F662294D4766D0CE7D948D085BD6,SHA256=8BD49024D0147887A319F8A3E1433E8CEEF6B571A62F3D8991EB419335CBD07F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.246{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1100-000000009502}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.239{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1000-000000009502}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.228{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0F00-000000009502}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.220{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0E00-000000009502}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.208{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0D00-000000009502}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.199{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0C00-000000009502}708C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.189{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000032880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:44.187{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0900-000000009502}552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 23542300x800000000000000082402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:45.798{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7795A86D0FEEAF1288A514B27253CA,SHA256=9E72F55261511B303F7A7491A921A3E68F7F9F817EDB3DC2AA0009C020D15E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:45.389{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93A0D44980EFED95CCFF5C7433F82FC2,SHA256=AADA3A710515EE5001F6B0EC1935ADDB5A35E750EC47B6CF65E9749153C50EDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:45.230{89C4FCAF-53ED-6387-D107-000000009402}6412ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\f8bskrpn.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=191E7F01FF4F8653DB5E82E73A407973,SHA256=21A1F16CB22FCAE81DFF27E6C099F705AC7A6847E5692C54302DCA6B6627B255,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:41.507{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50747-false10.0.1.12-8000- 10341000x800000000000000082408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:46.994{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0E00-000000009402}1000C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:46.977{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0D00-000000009402}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:46.963{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4001-6387-0C00-000000009402}840C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:46.892{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:46.884{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0900-000000009402}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 23542300x800000000000000082403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:46.814{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB294B43EC86B014A482B3FD24FCB936,SHA256=59574A093189844F892AB202001BAA5AA8AD0F7C1760138F3A3468644E84C598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:46.457{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB301A65336153E6B9D739B811952A30,SHA256=869FE3AB40498C9187F54074C29094CC64992F24C7CDB531CF9BB0B6E08571D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:46.040{1060B4B3-4261-6387-1C00-000000009502}1984NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-02f395d688d6dc534\channels\health\respondent-20221130114540-082MD5=421A2730ADAE3A660BE9B98FCB42BB32,SHA256=DD9501AE8159B049E06ACD4F3040B1765B6D21D365832970C0A6F127BF3F7749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.935{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1718DD5E1F27F647B04FB165812EF40,SHA256=1BD13231DFFE1865C665E718CD96C3460CF97C869E92D3E44834297D32DBE264,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000032918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:45.429{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50702-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000032917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:47.530{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9170A7170C7741F035E0F1B3CB198A5E,SHA256=1CD09B4A57FAC4B32C83CE1C005B674512D8105DE2020B6300292E1466371554,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.847{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2900-000000009402}2684C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.841{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.837{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.833{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2300-000000009402}2520C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.232{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.228{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2100-000000009402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.225{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2000-000000009402}2464C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.206{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.190{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1E00-000000009402}2376C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.184{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-400B-6387-1C00-000000009402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.182{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4003-6387-1900-000000009402}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.176{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1700-000000009402}1428C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.127{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.116{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1500-000000009402}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.090{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1400-000000009402}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.074{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1300-000000009402}352C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.060{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1200-000000009402}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.045{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1100-000000009402}476C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.030{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1000-000000009402}400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.009{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0F00-000000009402}356C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000032916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:47.099{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1D00-000000009502}2004C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000032915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:47.047{1060B4B3-4261-6387-1C00-000000009502}1984NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-02f395d688d6dc534\channels\health\surveyor-20221130114537-083MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:48.612{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C70CCA81AE9171CCD5DFD8D5DA13B49A,SHA256=35518A34ED69BB3929427C7DA0D750587AB5492A7E91B78C8472CDDB9CDC138F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:49.697{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC782926ED3696E3AFCA622EF6DBEFA,SHA256=5CA1BE59E3ABD97E05B9C9B92D8D490E4F3A2E319FC71E1883978AE8C905444A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:49.697{1060B4B3-5659-6387-8305-000000009502}36763644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:49.885{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4011-6387-3100-000000009402}3220C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:49.883{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2A00-000000009402}2904C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 23542300x800000000000000082430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:49.067{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDD210076EBA7C4A3CA0FFD93D222C8,SHA256=92A66BC0791A8B8889DCB95726775AB75A4E24EBFECC4B7EC82B063D82128EF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:49.525{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-5659-6387-8305-000000009502}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:49.525{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:49.525{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:49.525{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:49.525{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:49.525{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:49.525{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:49.525{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:49.525{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:49.525{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:49.525{1060B4B3-4260-6387-0500-000000009502}396932C:\Windows\system32\csrss.exe{1060B4B3-5659-6387-8305-000000009502}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:49.525{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-5659-6387-8305-000000009502}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:49.526{1060B4B3-5659-6387-8305-000000009502}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000032962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.861{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-565A-6387-8505-000000009502}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.861{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.861{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.861{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.861{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.861{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.861{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.861{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.861{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.861{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.861{1060B4B3-4260-6387-0500-000000009502}396412C:\Windows\system32\csrss.exe{1060B4B3-565A-6387-8505-000000009502}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.861{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-565A-6387-8505-000000009502}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.861{1060B4B3-565A-6387-8505-000000009502}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.798{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2EB273F74DE479B488101072A2E758,SHA256=751CA8D73831397FB6DD61AD96BD0F9C8112A41285793F530BD00D97B233C7B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.660{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5497-6387-FC07-000000009402}5472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.657{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FB07-000000009402}6060C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.655{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FA07-000000009402}6804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.651{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-F907-000000009402}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.648{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5494-6387-F807-000000009402}6900C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.643{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F1-6387-DA07-000000009402}952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.640{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D707-000000009402}1396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.637{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D607-000000009402}6984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.633{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D507-000000009402}5132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.626{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D307-000000009402}2424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.622{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D207-000000009402}4456C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.586{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.584{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4AC9-6387-B406-000000009402}4460C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.582{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-AA06-000000009402}6936C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.582{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-A906-000000009402}5612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.579{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A56-6387-A006-000000009402}5072C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.564{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C7-6387-1906-000000009402}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.537{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.494{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.482{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FD05-000000009402}3232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.466{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FA05-000000009402}3028C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.459{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B6-6387-F605-000000009402}576C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.453{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B5-6387-F405-000000009402}4520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.448{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-409C-6387-FF00-000000009402}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.442{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.440{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B900-000000009402}3188C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.433{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.426{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408A-6387-AA00-000000009402}2556C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.422{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7700-000000009402}2080C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.418{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7600-000000009402}3832C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.417{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7500-000000009402}500C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.414{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7400-000000009402}420C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.406{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3E00-000000009402}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 10341000x800000000000000082435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.401{89C4FCAF-46C6-6387-1806-000000009402}51965500C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3A00-000000009402}3484C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013186190) 23542300x800000000000000082434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:50.183{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912CA179D4909765E2E93EFFB55F2570,SHA256=A8523FF3D04375116E2916E04720840EE959D0A2FFF70721B1916A97B7A72B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.611{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8025F200A87D660AFA9944F613B4417B,SHA256=BE118FB7746A38D5C83BE9F01E3286FBF8E54B7522A837EFDD9CA812DEEB9C2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.192{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-565A-6387-8405-000000009502}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.192{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.192{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.192{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.192{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.192{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.192{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.192{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.192{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.192{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.192{1060B4B3-4260-6387-0500-000000009502}396412C:\Windows\system32\csrss.exe{1060B4B3-565A-6387-8405-000000009502}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.192{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-565A-6387-8405-000000009502}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.193{1060B4B3-565A-6387-8405-000000009502}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000082433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:46.348{89C4FCAF-4012-6387-3A00-000000009402}3484C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50748-false169.254.169.254-80http 10341000x800000000000000032977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:51.923{1060B4B3-565B-6387-8605-000000009502}1948696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:51.467{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89B293A4FF88840B668C81F7FCEF05D,SHA256=8939C4EF13900D595AE8427C1A73ECAF1864E9D7624E36D1E773D930E1D2DFA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:51.767{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-565B-6387-8605-000000009502}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:51.767{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:51.767{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:51.767{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:51.767{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:51.767{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:51.767{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:51.767{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:51.767{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:51.767{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:51.767{1060B4B3-4260-6387-0500-000000009502}396512C:\Windows\system32\csrss.exe{1060B4B3-565B-6387-8605-000000009502}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:51.767{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-565B-6387-8605-000000009502}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:51.767{1060B4B3-565B-6387-8605-000000009502}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:51.632{1060B4B3-42DB-6387-9B00-000000009502}2808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CF92B80C1C5C3FA3A135DF536CB76D74,SHA256=6227B1F0B4DFD0642F059967F5A93BF28A85C88259254EF6027F0D833E03BE13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:52.966{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A69DA585438662247A715D1C66A8E80,SHA256=C4785565A1DB7F5DA25D67CA440EA2F17AAFEA319AF17E4B9FCBC2E2C46097A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:52.616{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CE32E6BE41AD890F9B6D544A2F2578,SHA256=293CB36FA1EF91F033E128E456F5E3D168539218A30EB012CF75BB8289EB0E17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000032993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:52.578{1060B4B3-565C-6387-8705-000000009502}25201868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:52.437{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-565C-6387-8705-000000009502}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:52.437{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:52.437{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:52.437{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:52.437{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:52.437{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:52.437{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:52.437{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:52.437{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:52.437{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:52.437{1060B4B3-4260-6387-0500-000000009502}396412C:\Windows\system32\csrss.exe{1060B4B3-565C-6387-8705-000000009502}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:52.437{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-565C-6387-8705-000000009502}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:52.438{1060B4B3-565C-6387-8705-000000009502}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000032979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:52.163{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D421886C72A375EBA4F6AFCDF6F6D274,SHA256=D44ACBFD79F7B9D835F69F853E629BC6637E23507445A6EDC7037AFA8DAEB240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000032978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:52.124{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F97E98E49E23BC3B0E49FDFCB35BF0,SHA256=951B3E67B0041F0138B69A5CCA46FBA0C6C6697FAE3EB670A906604DF6E192BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:47.526{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50749-false10.0.1.12-8000- 23542300x800000000000000082472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:53.732{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4E2A83B460B240205098E3811C799C,SHA256=ED97137AEC4E75D77552116FC5F31CCBC0A5A6D2735C7E96FB35B08423CB04CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:53.334{1060B4B3-565D-6387-8805-000000009502}25721036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:53.219{1060B4B3-4261-6387-1D00-000000009502}20042320C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-565D-6387-8805-000000009502}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000033009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:53.219{1060B4B3-4261-6387-1D00-000000009502}20042320C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-565D-6387-8805-000000009502}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000033008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:53.218{1060B4B3-4261-6387-1D00-000000009502}20042320C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-565D-6387-8805-000000009502}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000033007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:53.107{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-565D-6387-8805-000000009502}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:53.107{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:53.107{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:53.107{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:53.107{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:53.107{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:53.107{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:53.107{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:53.107{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:53.107{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000032997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:53.107{1060B4B3-4260-6387-0500-000000009502}396412C:\Windows\system32\csrss.exe{1060B4B3-565D-6387-8805-000000009502}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000032996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:53.107{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-565D-6387-8805-000000009502}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000032995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:53.107{1060B4B3-565D-6387-8805-000000009502}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:54.832{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8C1F39B21F1413E56E834A4F0D079D,SHA256=26FE5ED12E8F1F69D1911B84D5B326E5BC8604FFC66D7D79AE47E673525CE145,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:54.179{1060B4B3-4261-6387-1D00-000000009502}20042320C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-565E-6387-8905-000000009502}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000033028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:54.179{1060B4B3-4261-6387-1D00-000000009502}20042320C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-565E-6387-8905-000000009502}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000033027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:54.179{1060B4B3-4261-6387-1D00-000000009502}20042320C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-565E-6387-8905-000000009502}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 354300x800000000000000033026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:50.500{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50703-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:54.046{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2CF28FDB57A3B6866AD37B75250495,SHA256=D8C91688E0F398FBDBE7E8C0C8FD1B983E050EA53CDFE9F535F7EBCC38095F1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:54.046{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-565E-6387-8905-000000009502}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:54.046{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:54.046{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:54.046{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:54.046{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:54.046{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:54.046{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:54.046{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:54.046{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:54.046{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:54.046{1060B4B3-4260-6387-0500-000000009502}396932C:\Windows\system32\csrss.exe{1060B4B3-565E-6387-8905-000000009502}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:54.046{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-565E-6387-8905-000000009502}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:54.047{1060B4B3-565E-6387-8905-000000009502}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:55.952{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68C9C44F536C3AD8ECCA72B40B6AA4F,SHA256=3013BA4CD3153AEEAF1F2513F656B42F6D9EBBBE01C8B5E7919385783A46924F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:55.137{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641765F7FF98044B29AAE3A3346F9B73,SHA256=46B7D89F28EEE8DE1196F0D988DEDEC0E761A6D33730225B4C7850A69EEFF908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:56.236{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=430DB353224E49689FE4F38B30BB1677,SHA256=42C24FC20C7656E92C4DB78642329DE994C4D9FA12B78838CD836F16CBE0BB6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:52.574{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50750-false10.0.1.12-8000- 23542300x800000000000000033032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:57.324{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A67C1F44D59A5525247EA852AACA3B0,SHA256=592A96A04FCF02FFCF6577B9F8E6A4615BFE9A93557D2E57CF037373F9F9865F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:57.054{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC2380C53192800308AFF17CA4C3447C,SHA256=FA0E65ED24B2E3070CA7CF5365EC49451939A0BA7BEDF0880379D2EC348068D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:58.407{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F3F4940F486DB6E6A61D604A871887,SHA256=D5396DE09944BC31446C77E6FB4A5ABFDC0B5709E745A917A61543D794626967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:58.170{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3182B457B63AF0208F70A7AD7E5A4033,SHA256=9E8AEF8F62945D91326E31CA00CEA083294B8A3012C48C7E26C52EE7B47A3098,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:55.571{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50704-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:10:59.503{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A9C05AA8F0A26D3548EF8DE56236A3,SHA256=99DE918BB2422615CACBF44FDB9E570191F647531FB7158C984BB600E617D3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.902{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140AE89BD77A629436EC3D4800DB2CD2,SHA256=A81B998E445C7C277A30448FFFB1DA24A58922A8FAE4EC8347084B1C450B9AFC,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000082577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.818{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000082576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.818{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000082575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.818{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000082574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.818{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000082573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.818{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000082572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.818{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000082571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.818{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000082570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.818{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000082569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000082568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000082567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000082566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000082565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000082564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000082563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000082562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000082560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000082559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000082558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000082557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000082556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000082555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000082554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000082553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000082552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000082551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000082550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000082549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000082548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000082547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000082546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000082545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000082544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000082543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000082542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000082541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000082539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000082538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000082535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-3FFF-6387-0500-000000009402}408424C:\Windows\system32\csrss.exe{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.802{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.803{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000082529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.555{89C4FCAF-5663-6387-2E08-000000009402}45121176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.555{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000082527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.555{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000082526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.386{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C06E40884DD4E5526F3082C89B9B0C9,SHA256=0FEFFB64FC2FCC0700D2EE07F898EB0001C747F73BF84C2EC8C26686BA22C7D0,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000082525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.339{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000082524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.339{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000082523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.339{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000082522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.339{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000082521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.339{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000082520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.339{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000082519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.339{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000082518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.339{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000082517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.339{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000082516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000082515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000082514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000082513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000082512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000082511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000082510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000082509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000082508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000082507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000082506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000082505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000082504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000082503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000082502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000082501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000082500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000082499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000082498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000082497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.318{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000082496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.317{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000082495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.316{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000082494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.315{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000082493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.315{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000082492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.315{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000082491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.314{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.314{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000082489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.313{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.312{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000082487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.312{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000082486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.311{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.311{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000082484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.310{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.310{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.310{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.310{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.310{89C4FCAF-3FFF-6387-0500-000000009402}408524C:\Windows\system32\csrss.exe{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.309{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.305{89C4FCAF-5663-6387-2E08-000000009402}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:00.593{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387B4918A78438C4CA9EAB2A480F0C55,SHA256=49BFE8372835054872E13B09D3B84831CD1B3D4583B37FAE9C66257F78071131,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000082639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.603{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000082638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.587{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000082637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.587{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000082636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.519{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D058FD07C44A986C4D6E0BF87EE1A11C,SHA256=04B2AFDC2D4C2BDEDD5DE09F93EDDF74EA871434F18C3B0DBDE5FAA9AA00EA9D,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000082635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.335{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000082634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.334{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000082633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.334{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000082632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.333{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000082631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.331{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000082630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.331{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000082629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.330{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 23542300x800000000000000082628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.330{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=148BCBBBBA675970BF99C7E9B491E568,SHA256=3D3AD196CBD6384C4B4EE5705E3A239176F194806F19F346FAA3A3F977C0AE49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.330{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EE85E864394B5C36A93EEA9CC03FFCE,SHA256=382FBB85B30F3C1EEF1D5F4C1F767A8894CCCFF10B654DF7AF3CED5FE96C0FDD,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000082626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.329{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000082625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.318{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000082624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.318{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000082623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.316{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000082622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.316{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000082621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.316{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000082620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.316{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000082619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.316{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000082618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.316{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000082617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.316{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000082616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.315{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000082615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.315{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000082614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.315{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000082613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.315{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000082612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.314{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000082611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.314{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000082610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.314{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000082609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.314{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000082608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.314{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000082607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.314{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000082606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.314{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000082605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.313{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000082604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.312{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000082603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.312{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.312{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000082601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.311{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000082600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.311{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000082599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.311{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000082598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.311{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000082597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.311{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000082596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.310{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000082595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.310{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000082594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.310{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000082593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.309{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.307{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000082591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.306{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000082590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.306{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.306{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.305{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.305{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000082586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.305{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.305{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.303{89C4FCAF-3FFF-6387-0500-000000009402}408424C:\Windows\system32\csrss.exe{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.303{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.301{89C4FCAF-5664-6387-3008-000000009402}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000082581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.071{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000082580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.071{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000082579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.071{89C4FCAF-5663-6387-2F08-000000009402}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000033037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:01.790{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3EB753A4ADA0C13A580EE34B782B25,SHA256=3140562EF1A2395A943A8092C2B8E05ECC6C8945DEFE94AEB4382C764FE1EA62,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000082646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:01.888{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3047780831-3224000367-1164970141-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000082645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:01.888{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3047780831-3224000367-1164970141-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000082644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:01.888{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3047780831-3224000367-1164970141-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x800000000000000082643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:01.672{89C4FCAF-408D-6387-B500-000000009402}4948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BD19C7DD55A6DAFDD3AE94C5BB58C432,SHA256=D3E0588E9A6BB0CC484EF1AF15A34A0536B2A9F14FB6A625E80A7D1DC7D0BF1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:01.603{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D03B1C6DDBE7B7FB98E03FD6B7B006,SHA256=942BF9C9918E8A0D56C49C4E933D464586A881CED73C0587BDACC9AB82864A90,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000082641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:01.119{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000082640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:01.118{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x800000000000000033038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:02.864{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A3A9D9DA364C874413680E60ABC4B8,SHA256=99985FE3AAB6FF85F96ECB67BBB01B73D141019AD1735DC8E12847F7758321AB,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000082700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.973{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000082699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.973{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000082698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.973{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000082697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.973{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000082696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.973{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000082695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.973{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000082694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.973{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000082693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.973{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000082692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.973{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000082691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000082690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000082689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000082688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000082687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000082686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000082685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000082683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000082682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000082681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000082680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000082679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000082678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000082677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000082676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000082675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000082674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000082673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000082672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000082671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000082670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000082669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000082668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000082667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000082666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000082665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000082664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000082662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000082661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000082659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-3FFF-6387-0500-000000009402}408612C:\Windows\system32\csrss.exe{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.958{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.959{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.787{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CE9CB7EE52BC56A52D85DC06268A38,SHA256=E40EB695E10E34390C91F0E408530F3CADFF171DA97BCEA3E2BE2E28C81F5149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.402{89C4FCAF-53ED-6387-D107-000000009402}6412ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\f8bskrpn.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.508{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local50752-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local389ldap 354300x800000000000000082649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:59.508{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local50752-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local389ldap 354300x800000000000000082648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:10:58.445{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50751-false10.0.1.12-8000- 23542300x800000000000000082647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:02.266{89C4FCAF-53ED-6387-D107-000000009402}6412ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\f8bskrpn.default-release\settings\data.safe.binMD5=08228FC0E53EB0C908F358BA1CBDF22A,SHA256=8079F2B80DDE1D47EB9734DA72CD78BC29784C65230801EF9CA6D5B5472E20EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:03.956{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23DCB7DD48605B0EE4949964E926DCF9,SHA256=36A62725469E3E4EC3743548D0BD18A90A88EB0E8F08D4991A388B5EB0AE44BB,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000082759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.977{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000082758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.977{89C4FCAF-5667-6387-3208-000000009402}2244868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.976{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000082756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.975{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000082755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.888{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5830DB0BED8DA11FECAF24685FCBAF96,SHA256=2D6B871DD26511028DA952FBA165F2247E5EE518FA04BD00C8A158259E00FD4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:01.333{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50705-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000082754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.775{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8130DA1D3290769DDA9139A293B04DE6,SHA256=E1BE8D582127FE2A41C7E2BD0792772B9B7CF222146AF5131F70EF5EA2C6462F,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000082753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.659{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000082752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.659{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000082751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.659{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000082750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.659{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000082749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000082748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000082747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000082746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000082745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000082744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000082743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000082742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000082741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000082740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000082739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000082738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000082737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000082735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000082734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000082733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000082732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000082731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000082730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000082729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000082728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000082727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000082726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000082725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000082724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000082723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000082722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000082721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000082720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000082719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000082718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000082716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000082715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.643{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.638{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000082713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.638{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.638{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.638{89C4FCAF-3FFF-6387-0500-000000009402}408524C:\Windows\system32\csrss.exe{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.638{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.638{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.638{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.639{89C4FCAF-5667-6387-3208-000000009402}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000082706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.297{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50753-false34.102.187.140140.187.102.34.bc.googleusercontent.com443https 354300x800000000000000082705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:00.281{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local58283- 734700x800000000000000082704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.174{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000082703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.174{89C4FCAF-5666-6387-3108-000000009402}36286596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.159{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000082701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.159{89C4FCAF-5666-6387-3108-000000009402}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000033071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.319{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-480B-6387-D603-000000009502}3964C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.317{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E9-6387-E800-000000009502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.315{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.313{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A200-000000009502}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.313{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A000-000000009502}2456C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.310{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.309{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5C00-000000009502}4048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.308{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5B00-000000009502}4036C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.308{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3C00-000000009502}2992C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.306{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3800-000000009502}2700C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.305{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4262-6387-2D00-000000009502}2764C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.303{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-2000-000000009502}2236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.301{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1F00-000000009502}1432C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.300{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1E00-000000009502}2012C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.298{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1C00-000000009502}1984C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.290{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.284{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1800-000000009502}1792C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.283{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1700-000000009502}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.270{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1600-000000009502}1244C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.265{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1500-000000009502}1128C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.259{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1400-000000009502}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.251{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1300-000000009502}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.246{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1200-000000009502}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.224{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1100-000000009502}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.218{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1000-000000009502}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.214{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0F00-000000009502}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.206{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0E00-000000009502}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.200{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0D00-000000009502}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.194{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0C00-000000009502}708C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.185{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 10341000x800000000000000033041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:04.182{1060B4B3-4261-6387-1D00-000000009502}20043256C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0900-000000009502}552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000145A2190) 734700x800000000000000082810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.732{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000082809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.732{89C4FCAF-5668-6387-3308-000000009402}25366636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.732{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000082807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.732{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000082806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.532{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000082805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.532{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000082804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.532{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000082803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.532{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000082802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.532{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000082801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.532{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000082800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.532{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000082799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.532{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000082798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000082797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000082796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000082795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000082794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000082793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000082792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000082791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000082790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000082789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000082788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000082786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000082785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000082784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000082783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000082782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000082781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000082780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000082779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000082778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000082777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000082776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000082775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000082774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000082773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000082772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x800000000000000082771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000082769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.516{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000082768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.511{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.511{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000082766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.511{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.511{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.511{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.511{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.511{89C4FCAF-3FFF-6387-0500-000000009402}408424C:\Windows\system32\csrss.exe{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.511{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:04.512{89C4FCAF-5668-6387-3308-000000009402}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:05.525{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BC91AEBE624968B527CD8343D4DDF1,SHA256=7F542BC7DDA623747613B6FD5082573C4290531112696420E6CE0412F46722F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.634{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A71E62F3FFA7DB5B564A78E1975E60B,SHA256=2ACE22CD1C1E53D92F2A351B35A3341FA8871DCF262D2CFDF028C9A98028623E,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000082868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.417{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000082867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.417{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000082866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.417{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000082865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.351{89C4FCAF-46C6-6387-1806-000000009402}51965492C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80F10) 10341000x800000000000000082864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.351{89C4FCAF-46C6-6387-1806-000000009402}51965492C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80F10) 10341000x800000000000000082863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.351{89C4FCAF-46C6-6387-1806-000000009402}51965492C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80F10) 10341000x800000000000000082862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.350{89C4FCAF-46C6-6387-1806-000000009402}51965492C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80F10) 10341000x800000000000000082861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.350{89C4FCAF-46C6-6387-1806-000000009402}51965492C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80F10) 10341000x800000000000000082860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.350{89C4FCAF-46C6-6387-1806-000000009402}51965492C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80F10) 734700x800000000000000082859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.217{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000082858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.217{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000082857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.217{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000082856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.217{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000082855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.217{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000082854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.217{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000082853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.217{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000082852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.212{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000082851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.212{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000082850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000082849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000082848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000082847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000082846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000082845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5501 (rs1_release.221103-1703)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=C7322EC55BB24A89D05C0F35265AD4A6,SHA256=D2645D88D5969C72D3F437094254F167EC574706C4934385F3241E78F172DFE4,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x800000000000000082844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000082843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000082842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000082841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000082840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000082839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000082838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000082837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000082836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000082835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000082834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000082833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000082832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000082831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000082830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000082829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000082828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000082827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000082826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000082825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000082824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000082823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000082821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000082820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000082819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000082818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000082817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-3FFF-6387-0500-000000009402}408612C:\Windows\system32\csrss.exe{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000082813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000082812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.200{89C4FCAF-5669-6387-3408-000000009402}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:05.197{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76A29619A937DA9D823C72FD069F12A,SHA256=C050C38F2F92DE7082F27DB2A4BDFD6F0C03EE5723E3E03866E57ED7A03126B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:06.578{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12AB69669286D0E3B0AFF9AF2D4307D,SHA256=843B171014DD2414ED2470D67F930368D9A173D8E9C0B63901E05B1C082B285F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:06.994{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1000-000000009402}400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:06.979{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0F00-000000009402}356C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:06.970{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0E00-000000009402}1000C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:06.945{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0D00-000000009402}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:06.929{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4001-6387-0C00-000000009402}840C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:06.855{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:06.849{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0900-000000009402}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 23542300x800000000000000082871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:06.377{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65EE78AA9787BC1A295DCC35F0AB46A8,SHA256=1B682E38458043880B17A2471285BC4EF036D691156971142F69BA41E579E5D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:03.483{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50754-false10.0.1.12-8000- 23542300x800000000000000033074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:07.674{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3BB33A3455EF7CF868D421F317F66C,SHA256=1167EE2C076801169E3F3AD5D25B28423CFF3197F8903027203AD57F75146F6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.815{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2900-000000009402}2684C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.808{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.798{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.792{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2300-000000009402}2520C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 23542300x800000000000000082893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.300{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6336225DC0FD18F0949E626C8E0491CA,SHA256=D86C3D3BF81394E9F83CCB8C7D4561C7DDB2523882C6DA3DE34858EB44E204BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.172{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.168{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2100-000000009402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.166{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2000-000000009402}2464C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.144{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.132{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1E00-000000009402}2376C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.128{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-400B-6387-1C00-000000009402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.126{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4003-6387-1900-000000009402}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.123{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1700-000000009402}1428C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.078{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.069{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1500-000000009402}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.049{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1400-000000009402}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.041{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1300-000000009402}352C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.028{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1200-000000009402}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:07.014{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1100-000000009402}476C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 23542300x800000000000000033076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:08.760{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7923EF4ADB949149D3C1CEA42B1E589B,SHA256=8ADB6D339AE4A7DE156048604B1A364F118D98F235701E6FDB2D01C25072C054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:08.367{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AFA90B97F28688B1DA8160E45B7930F,SHA256=05B31C2F52F4199A0A953AA259FD48C7B01AD81185F069A58A9928F733FECE76,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:06.431{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50706-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000082898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:08.284{89C4FCAF-4010-6387-2100-000000009402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0ad278f1b123f456b\channels\health\respondent-20221130113546-092MD5=4367FEF3D0B44A451D14676E8838B8C6,SHA256=A57E514C51A9299EE718F8B114501F94A24E2C8835ECD359B7D2BBD0A7C75EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:09.851{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4AA407C7BFD38A2AEF91E1A6D04C21,SHA256=A71C705974856ED7BAA7EE9D6A39F8048B0B4CAF8DC8CF5F225866A78E9BF198,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:09.855{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4011-6387-3100-000000009402}3220C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:09.854{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2A00-000000009402}2904C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 23542300x800000000000000082901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:09.455{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A5EA2A809C29A753A532F7C5E3DD16,SHA256=18DB41B62192A2E4B8A564283CF959E4A2F4E9EB38C5823B16A8F11F4A108E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:09.283{89C4FCAF-4010-6387-2100-000000009402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0ad278f1b123f456b\channels\health\surveyor-20221130113544-093MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:10.940{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9778784509DFF6F390D7658E7CD68B,SHA256=832A2E217191FBF64040191AC354F8A6D868E05F3E68FCB2D4DD2764A42EE572,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.570{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5497-6387-FC07-000000009402}5472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.567{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FB07-000000009402}6060C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 23542300x800000000000000082936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.565{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94F06CC0520508667FD0A472A839FB7,SHA256=3DBB2B57C991CEDC2CF2AA7A1D3F7AD01F9F1E7FC74F93B25BB89FFB75ACC091,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.564{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FA07-000000009402}6804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.559{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-F907-000000009402}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.556{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5494-6387-F807-000000009402}6900C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.546{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F1-6387-DA07-000000009402}952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.543{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D707-000000009402}1396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.540{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D607-000000009402}6984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.537{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D507-000000009402}5132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.528{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D307-000000009402}2424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.525{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D207-000000009402}4456C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.498{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.495{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4AC9-6387-B406-000000009402}4460C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.494{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-AA06-000000009402}6936C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.494{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-A906-000000009402}5612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.492{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A56-6387-A006-000000009402}5072C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.479{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C7-6387-1906-000000009402}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.463{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.430{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.422{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FD05-000000009402}3232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.408{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FA05-000000009402}3028C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.399{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B6-6387-F605-000000009402}576C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.396{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B5-6387-F405-000000009402}4520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.392{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-409C-6387-FF00-000000009402}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.388{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.387{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B900-000000009402}3188C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.382{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.378{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408A-6387-AA00-000000009402}2556C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.377{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7700-000000009402}2080C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.376{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7600-000000009402}3832C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.374{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7500-000000009402}500C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.373{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7400-000000009402}420C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.371{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3E00-000000009402}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000082904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.368{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3A00-000000009402}3484C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 23542300x800000000000000082939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:11.654{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31F8CC4944E4CC04BF22CA1C20290FBE,SHA256=F7666EC3BBD177DE6861EDC772FB0A2ACEC6D655A4BE403E611EE22D5EF15A64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:12.886{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BE0C07A4D6DD7A13BCB76AA57772ADE,SHA256=6E483795EFA2143334F89EA4EAD0EF7FF63BAE9E2C16C4518ECDD353B2B3F7CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:12.028{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2673470A8DA077A30204F421D88D3690,SHA256=500F7F2DDD29B2D767440826152560D452F06D4830EA740A02DE8BEEA85FD8AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:08.640{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50755-false10.0.1.12-8000- 23542300x800000000000000082940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:12.004{89C4FCAF-408D-6387-B500-000000009402}4948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=75B55EA0C6DD224E71E588081A876538,SHA256=D68BFA6F8DD7813E5BF73DAB1FA1C75178EE825D1972714ACA959E6B3481B0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:13.902{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B991C6CA1A6A8148D60263727642A0,SHA256=9BE9EE4F20FB02F9F9E66DE7CB4BC87D276D831A0959D7A9B4BC68FDCF0FD651,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:11.552{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50707-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:13.552{1060B4B3-42DB-6387-9B00-000000009502}2808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=75B55EA0C6DD224E71E588081A876538,SHA256=D68BFA6F8DD7813E5BF73DAB1FA1C75178EE825D1972714ACA959E6B3481B0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:13.116{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878D003868016DF70783CCD01339F2A4,SHA256=3BA357BA999D90F192D2001EE8DCB994DB107A41728A2B65B0B0597F30B49295,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:10.375{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50756-false10.0.1.12-8089- 23542300x800000000000000033083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:14.293{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D4E741DC2DA523EEF99AF608650766,SHA256=D3EF637AEB633A833E683608909BDD9F654074A5D2AA865F327558BC3FE44286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:14.339{89C4FCAF-53ED-6387-D107-000000009402}6412ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\f8bskrpn.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:12.861{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50708-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000033084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:15.374{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E81981265A96B65A1DD2B0E1B02A89,SHA256=98D3EA689C6807CB7511FB621A37C964F7568DF666938696FC7DC342ABFDC90C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:15.039{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CC3600B8FD787185DB801A09084028,SHA256=695DC5E40FE24C7540015533F2D69FB4861E0B86F6F904A8124F5817AFB88EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:16.463{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD64C50894175873938D84A5F5571BF,SHA256=D2235375E7B6848FF18030D601ABE525371899321E8412BFE84A4843D457EDFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:16.154{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07719C49D385920B66E5383F963AF6C,SHA256=EDD89618788CC7768052CD8042FA51E6EB99A0B9289265B5AC392485144C8945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:17.538{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4D2FED5084E0695249BC5D7606AFD0,SHA256=BC696EF646E5837CD743ED4420A60BDD7109CA437B8056E47D5A1542F029224E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:14.427{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50757-false10.0.1.12-8000- 23542300x800000000000000082948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:17.302{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A3FDF3C4FEFC8DB2CDBF96FE75B1B8,SHA256=5BEA63E8C243F1A63A8D35386B0389BCC8BAEF4BA70D5DFD1EB84EA93B4097FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:18.740{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BDC719E900B8A2CD48603E3E24CF3DB,SHA256=3202EF2EF1D063E9889000035436EC24F54536ACE04D364E38A934FE82B2C06C,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000082953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:18.769{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x800000000000000082952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:18.769{89C4FCAF-3FFF-6387-0B00-000000009402}624792C:\Windows\system32\lsass.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:18.769{89C4FCAF-3FFF-6387-0B00-000000009402}624792C:\Windows\system32\lsass.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:18.401{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42CDBE4BF7D2D15933BFC5EBA2E9E7B7,SHA256=341E78458C9947C7893BEFE9E4B86AA759ECCB34693272760B5C5AD00F960780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:19.834{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C31CB663AF0F2B1E05CB0A89B2D7A49,SHA256=2B6D3889AEA5B10E0ECCA1773F06DAB164912D006AC4114EB32E3037FF149E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:19.502{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DA1C1C089EBC95154514DAFA4993EE,SHA256=58F654CA6376B55E85F39E415BEE83AFD419D8E9DFF748EDA7FB3B92DDAACDB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:20.927{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1125258069DEE834AF98F2AEFAF89727,SHA256=46CB789739C6FC417943AD020965E1BE4BD95B7739BBA1F10CD16C60F2794648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:20.604{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF64AA4B5113C72D94DB60117644B6D,SHA256=36A32ABBF73DB9F62CAFC1A030625D010A8663A1552DC1E628969767B77A72BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:20.814{1060B4B3-42DB-6387-9B00-000000009502}2808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=40F278C4989740C0CFCD62496AB49DA2,SHA256=E74C1AE0727E56B53C2E78465B6AB0234C80964B782AE688DCD92D492A128280,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:17.160{89C4FCAF-4002-6387-0D00-000000009402}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:1c5f:fcc0:753:556ewin-dc-ctus-attack-range-657.attackrange.local50758-truefe80:0:0:0:1c5f:fcc0:753:556ewin-dc-ctus-attack-range-657.attackrange.local135epmap 354300x800000000000000082955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:17.160{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1c5f:fcc0:753:556ewin-dc-ctus-attack-range-657.attackrange.local50758-truefe80:0:0:0:1c5f:fcc0:753:556ewin-dc-ctus-attack-range-657.attackrange.local135epmap 23542300x800000000000000082958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:21.719{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C35AAFB5C3683104EE318A65D26006,SHA256=C2BD60BA9CBE8B629CCEEBA337D9DB188000AB01957330472645DC222A812116,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:17.387{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50709-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000082960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:22.824{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC2D4BED3AFA7C6E2783D3B5DC85CD6,SHA256=DD9D6ADF681270B04D8D1F8B650C303072824FD8B67E5D32ADEFDDE73223E0C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:22.225{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6DD7E932141865B0B13E579D22D5A9,SHA256=A812A9DA7DEEC2B790DC4A05A5C32B72A91D0730EC43D823EDE134CADEF3076E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:19.489{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50759-false10.0.1.12-8000- 23542300x800000000000000033094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:23.326{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C0BA136E7E633DA0470EDB88CF9401,SHA256=DFD889F0F6094500F8F3F64FA1A1532088FB56808DFE08822ED6293153E05D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:23.840{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A52A43F60E2A9A5CF72EBE1A46DEB12D,SHA256=2B377ABF415C5BDAE4378A1ADFA4C6ACC4B55BE2CF093D159F8D5DFA23557DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.996{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFE360DBCAC3BABBE038EE38897B8B7,SHA256=DA0CB7AE9D514B00EBBE7A43CE6191F0C7FF9884549947B1630B0C4FB2749658,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:22.464{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50710-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000082962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:24.959{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C6E8AF15B526C869C636B889C6DBB2,SHA256=D9FC0B5C3146A4E3366259E8E71CB5E2D9EFD26D404A08354C446623394499F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.382{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-480B-6387-D603-000000009502}3964C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.380{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E9-6387-E800-000000009502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.376{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.367{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A200-000000009502}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.358{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A000-000000009502}2456C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.354{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.352{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5C00-000000009502}4048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.351{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5B00-000000009502}4036C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.350{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3C00-000000009502}2992C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.348{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3800-000000009502}2700C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.347{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4262-6387-2D00-000000009502}2764C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.344{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-2000-000000009502}2236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.340{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1F00-000000009502}1432C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.339{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1E00-000000009502}2012C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.335{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1C00-000000009502}1984C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.324{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.316{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1800-000000009502}1792C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.313{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1700-000000009502}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.290{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1600-000000009502}1244C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.279{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1500-000000009502}1128C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.254{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1400-000000009502}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.247{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1300-000000009502}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.239{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1200-000000009502}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.218{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1100-000000009502}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.209{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1000-000000009502}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.204{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0F00-000000009502}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.195{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0E00-000000009502}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.189{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0D00-000000009502}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.181{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0C00-000000009502}708C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.172{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 10341000x800000000000000033095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:24.170{1060B4B3-4261-6387-1D00-000000009502}20042548C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0900-000000009502}552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E80190) 23542300x800000000000000033128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:26.150{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7402C9F847CFA877459DC975D6EF989,SHA256=65E403E45064311669A0D0D98DF5FFFE45E160C2C89CA1F274730CA59C6DA6B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:26.992{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0F00-000000009402}356C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:26.983{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0E00-000000009402}1000C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:26.971{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0D00-000000009402}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:26.960{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4001-6387-0C00-000000009402}840C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:26.870{89C4FCAF-46C6-6387-1806-000000009402}51965512C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80850) 10341000x800000000000000082964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:26.867{89C4FCAF-46C6-6387-1806-000000009402}51965512C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0900-000000009402}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80850) 23542300x800000000000000082963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:26.027{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941B15AB8E34E212EDAE0DC3BB8D140A,SHA256=390D8A0E89DC8393F481DF9E2C53EA42F817DC7E063CC6FCE9DCCE0979B5EC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:27.337{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E72CD85807FBC33696C560587B85CD62,SHA256=3E022CB6F8DE8AE22668802B0F98BFC8C69DD26CCAA6518789DAB18A551DB914,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.880{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2900-000000009402}2684C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.866{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.850{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.842{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2300-000000009402}2520C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 354300x800000000000000082986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:24.593{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50760-false10.0.1.12-8000- 10341000x800000000000000082985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.180{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.169{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2100-000000009402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.160{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2000-000000009402}2464C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.136{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000082981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.131{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350DE600D88241CB804DEDD3F376C2CE,SHA256=80559737BF2A39CB9247C8A19669CCB732B3A55654018EF5D7C738DEB3F24607,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.128{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1E00-000000009402}2376C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.124{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-400B-6387-1C00-000000009402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.122{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4003-6387-1900-000000009402}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.119{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1700-000000009402}1428C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.075{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.068{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1500-000000009402}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.050{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1400-000000009402}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.043{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1300-000000009402}352C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.035{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1200-000000009402}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.022{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1100-000000009402}476C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000082970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.012{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1000-000000009402}400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000033130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:28.522{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6AEEB8E27DCFF773D37113EBF2FF39,SHA256=A1A220CC185A4354F37E4EE52F4E52F162637F452C0DFD7847AEEF6C42A4D963,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000083000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-SetValue2022-11-30 13:11:28.828{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\1DB41A76-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_1DB41A76-0000-0000-0000-100000000000.XML 12241200x800000000000000082999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:28.828{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\1DB41A76-0000-0000-0000-100000000000 12241200x800000000000000082998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:28.823{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Access Checks\Replication Groups\D786969F-EC70-402C-829B-DB9374CEDB2B 13241300x800000000000000082997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-SetValue2022-11-30 13:11:28.823{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D786969F-EC70-402C-829B-DB9374CEDB2B\Config SourceDWORD (0x00000001) 13241300x800000000000000082996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-SetValue2022-11-30 13:11:28.823{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D786969F-EC70-402C-829B-DB9374CEDB2B\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_D786969F-EC70-402C-829B-DB9374CEDB2B.XML 12241200x800000000000000082995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:28.823{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D786969F-EC70-402C-829B-DB9374CEDB2B 12241200x800000000000000082994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:28.807{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x800000000000000082993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:28.807{89C4FCAF-3FFF-6387-0B00-000000009402}624672C:\Windows\system32\lsass.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000082992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:28.807{89C4FCAF-3FFF-6387-0B00-000000009402}624672C:\Windows\system32\lsass.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000082991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:28.175{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182222716735C04E720BEF9FE5F8C67A,SHA256=02C6C23441AAB1F841DB3474B696C718E32F3624182567FD95486329AFD8769B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:29.715{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69FF69A32438E3DD4AA1267053F0A07,SHA256=B84C99FB9597E45762C32D7334E8F7C63F785CC7CDF2740915A5117BE421EEC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:29.908{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4011-6387-3100-000000009402}3220C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:29.907{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2A00-000000009402}2904C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:29.659{89C4FCAF-3FFF-6387-0B00-000000009402}624792C:\Windows\system32\lsass.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x800000000000000083035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.659{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x800000000000000083034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:29.659{89C4FCAF-3FFF-6387-0B00-000000009402}624792C:\Windows\system32\lsass.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:29.659{89C4FCAF-3FFF-6387-0B00-000000009402}624792C:\Windows\system32\lsass.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x800000000000000083032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.473{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.473{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.473{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.473{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.473{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.473{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.473{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 10341000x800000000000000083025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:29.473{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:29.473{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:29.473{89C4FCAF-3FFF-6387-0B00-000000009402}624792C:\Windows\system32\lsass.exe{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x800000000000000083022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.473{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.473{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.473{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.473{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.473{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.473{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.473{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.472{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.472{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.472{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.472{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.472{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 734700x800000000000000083010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:29.464{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000083009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:29.464{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000083008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:29.463{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000083007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:29.455{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 12241200x800000000000000083006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.455{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000083005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:29.455{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000083004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:29.455{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000083003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:29.455{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000083002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:29.454{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:29.291{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7633557E3015E48DA2E0EDDFA88E8D3C,SHA256=ED733F0C5BA3F1AD44AFF62A31543CB03D50198C0E6F651E6FFCA61E1845970B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.740{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=013C9B7CB5DCB1B719435CA49413D842,SHA256=8C223636464450D3A94DCCD74E52EEDE82D8C8E94A082F7EFF41F1FA9856E469,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.700{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5497-6387-FC07-000000009402}5472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.697{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FB07-000000009402}6060C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.695{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FA07-000000009402}6804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.692{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-F907-000000009402}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.689{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5494-6387-F807-000000009402}6900C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.684{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F1-6387-DA07-000000009402}952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.681{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D707-000000009402}1396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.678{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D607-000000009402}6984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.674{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D507-000000009402}5132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 354300x800000000000000083070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.196{89C4FCAF-4002-6387-0D00-000000009402}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:1c5f:fcc0:753:556ewin-dc-ctus-attack-range-657.attackrange.local50761-truefe80:0:0:0:1c5f:fcc0:753:556ewin-dc-ctus-attack-range-657.attackrange.local135epmap 354300x800000000000000083069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:27.196{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1c5f:fcc0:753:556ewin-dc-ctus-attack-range-657.attackrange.local50761-truefe80:0:0:0:1c5f:fcc0:753:556ewin-dc-ctus-attack-range-657.attackrange.local135epmap 10341000x800000000000000083068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.660{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D307-000000009402}2424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.658{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D207-000000009402}4456C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.633{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.629{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4AC9-6387-B406-000000009402}4460C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.628{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-AA06-000000009402}6936C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.627{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-A906-000000009402}5612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.622{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A56-6387-A006-000000009402}5072C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.611{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C7-6387-1906-000000009402}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.589{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.530{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.508{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FD05-000000009402}3232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.494{89C4FCAF-3FFF-6387-0B00-000000009402}624672C:\Windows\system32\lsass.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x800000000000000083056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:30.490{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 10341000x800000000000000083055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.490{89C4FCAF-3FFF-6387-0B00-000000009402}624672C:\Windows\system32\lsass.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.489{89C4FCAF-3FFF-6387-0B00-000000009402}624672C:\Windows\system32\lsass.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77e3c|C:\Windows\system32\lsasrv.dll+e7b34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.485{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FA05-000000009402}3028C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.479{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B6-6387-F605-000000009402}576C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000083051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.478{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB0636F183CF90CF5BA35D7E29EFB84,SHA256=0DCE80F70A68EC4DBE0EE04657C167A488AD1021051FECD3FCCC8EFD3186F26E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.477{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B5-6387-F405-000000009402}4520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.445{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-409C-6387-FF00-000000009402}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.440{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.439{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B900-000000009402}3188C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.435{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.433{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408A-6387-AA00-000000009402}2556C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.432{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7700-000000009402}2080C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.431{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7600-000000009402}3832C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.429{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7500-000000009402}500C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.428{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7400-000000009402}420C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.427{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3E00-000000009402}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.424{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3A00-000000009402}3484C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000083086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:31.876{89C4FCAF-408D-6387-B500-000000009402}4948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1BA2A5B5165D9A929A35F3E299FC66CE,SHA256=AD837E6658FF9DAD90C3CF3335E4ECF02166E28782AFF82665C6A5D9285F9F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:31.797{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F04284798467EFAE3F22C969A16705,SHA256=1A959B575D75DD6B4CF683C68A159D3C24D710D5F25EEEE43F985B47C90E2213,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:28.873{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50763-false10.0.1.14win-dc-ctus-attack-range-657.attackrange.local389ldap 354300x800000000000000083083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:28.873{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50763-false10.0.1.14win-dc-ctus-attack-range-657.attackrange.local389ldap 354300x800000000000000083082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:28.046{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50762-false10.0.1.14win-dc-ctus-attack-range-657.attackrange.local389ldap 354300x800000000000000083081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:28.046{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50762-false10.0.1.14win-dc-ctus-attack-range-657.attackrange.local389ldap 354300x800000000000000033133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:28.424{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50711-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:31.023{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE72CB9B5E8A301B9FCA5CF857118C1,SHA256=F6F419372952C4D55439254AC7B3ADB414AC9FA48E56BDFCC2C288C1DE840DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:32.749{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF47694FDA9F99FF2DB5FCE0878A494,SHA256=C30F068EC4E2B83BD3A12FC4E8F34F30D47B95523A793F504E3629C12349199B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:32.101{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFE5C3E56B0C1805C7E82020C43DC2A,SHA256=C68E0730C8B76E898F02D89B685EF66A5F075CBA413EC39201742AA5B4823768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:32.708{89C4FCAF-4002-6387-1100-000000009402}476NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A7300C79E269EA0AC2E84337B2878FDF,SHA256=55E96EF26DD916AC2F854E73E3BDC7A39D008181DC0B523E65787E7633FC9E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:33.845{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CEBB91E5AD5B905973809768BD5E450,SHA256=C88D3F12DD0203156F08F40289C00B61833C0F378B6918DEE5A6B8D374C4465D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:33.187{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FA2181C8C0CDB0D2FB95ADBADD2678,SHA256=7546BFFC31CEA72D4D029CD7A5FB05FED6F8F644549E1BA1180C431C9CAD4ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:34.269{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3847DB5625483A6F1B9C5E5A2C432F0,SHA256=E468F70DA724BBEAB939A6E071509CF867117A8B874057E47753775CD70CB7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:30.610{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50764-false10.0.1.12-8000- 23542300x800000000000000033137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:35.575{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8A85A8D002FF11E2F714CB84FCC22F,SHA256=970352B9FCBABF9E4F1F9C76F1CA22F585EE8C6A29F5DC97A6DE6F0506B221BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:35.045{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A494B5A57F354EABFB8110432E62D5B1,SHA256=3131E2998059D1DE9B6BA7AF7BB4246AF1CC8217DD1B5882BBB8F896AC0E6312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:36.667{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5AD51C2BEE3F78978EAB714D7324B48,SHA256=FD4CE1EFB90596870A087E8CB25956FCD6C1875B363A1FB3510BD8623E296401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:36.161{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11DC19F690C2B43600E77B84EA6C8BE6,SHA256=114F0F6D023D863FE79E95E2198659066862D61613C8B8779D104A0E5039D26B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:33.437{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50712-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:37.757{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1682C07E7201518219B0740926C8E3,SHA256=B2878D49D32A2A83812DCFAD8F1F4EB78D78FADC93536F19A042FC6F979DAF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:37.292{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216B07ED3F71C51D15E8A60FF156F8EE,SHA256=CE2DE0F673F25B41CDDA492B7C262121B8766582E197380D28AA3365FD07D68F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:38.851{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFEA900C7E944575340C08F89B9A8689,SHA256=EF98CBD9715A79253A30CE8E5AF5DC4719BBAC635778B0D720C74AAC5A864381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:38.391{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D7E6298B1018075B000536BE3DC7E7,SHA256=EEAA7F9418880289CCF7861D9A4E6E1AE983D62A6F3CE58F407307D96574476D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:38.569{1060B4B3-4261-6387-1200-000000009502}988NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6F0C586716F8000D7E7D45C028F950E2,SHA256=4F283682F7B5BE30A95E80858E4DB379B451EBAB8C87A60FFE1314C36820FEB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:39.412{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFD41EABE432864C744F48D7B3D06518,SHA256=14EEC453A576DB4C8C7043771BFB564BBAC804E7D863354C76F66D25E4067E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:40.650{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDDCD18415A390E3438222FB5D6B597,SHA256=0A9E4E0BA3275E4806F5370C085964068DA7630F0E42CEA3FD726E565D969348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:40.162{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099F801A6B0F88AE0BE0E190708125CF,SHA256=3C224CEA20FF5E0A390F1353D7C1B0F315A5714BF7600F360A155F8FEE7A320A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:41.784{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD124B55DAC6289C2857612611DFA08,SHA256=1267969A4089EFB2B0B3AF3DBA0294126D8A26AE77640D84DE9927420C84E8D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:39.440{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50713-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:41.249{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BDD9A1A56F169D96F9042DD6A6D2C82,SHA256=DFCD121F354D7C04FE78B811F8BE524BF16C8AEF6016181B04A3AB2C1A44F136,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:36.478{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50765-false10.0.1.12-8000- 23542300x800000000000000033146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:42.330{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22BBE557F0BDC3571D0D727148B2C6FD,SHA256=42799385D94BBAC3BDD986D22EBCCADF1B4BA2D6E5C829BE3341FEB22F3FD195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:42.836{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CC9BD9CAB1DF7FA42CFB385A0CBDA9,SHA256=B3AB32B9D509AFAD9A56ECEAB30E0C58072AFAB88EE598CA89D367164E0CCFDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:43.632{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F164A60B7CA5BC7D991DDE9B56BF0CAD,SHA256=ECC13F4088CBB4A69CC3C5DD05A4EC4B443FB84F8D9B009DB1485B99CB5FE176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:43.891{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374DC36D62E6C069557A300FC90B57B0,SHA256=5388D8EFB7F349BE7CC3452483BA60DF8E0D90222D6F5DBCC07A7432A2923016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:44.961{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD08F9FF65502DCEEE8BF840A52654D1,SHA256=CE8FA44480CAE6E5037AA0C5E6CAEBEB6EBBC6E401DFFA52E4ED80020F36B012,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.462{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-480B-6387-D603-000000009502}3964C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.459{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E9-6387-E800-000000009502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.453{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.449{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A200-000000009502}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.447{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A000-000000009502}2456C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.436{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.435{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5C00-000000009502}4048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.431{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5B00-000000009502}4036C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.429{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3C00-000000009502}2992C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.425{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3800-000000009502}2700C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.422{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4262-6387-2D00-000000009502}2764C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.417{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-2000-000000009502}2236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.407{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1F00-000000009502}1432C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.405{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1E00-000000009502}2012C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.401{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1C00-000000009502}1984C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.384{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.368{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1800-000000009502}1792C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.364{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1700-000000009502}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.333{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1600-000000009502}1244C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.324{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1500-000000009502}1128C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.302{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1400-000000009502}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.294{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1300-000000009502}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.284{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1200-000000009502}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.253{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1100-000000009502}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.247{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1000-000000009502}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.240{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0F00-000000009502}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.216{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0E00-000000009502}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.209{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0D00-000000009502}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.201{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0C00-000000009502}708C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.196{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.194{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0900-000000009502}552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 12241200x800000000000000083101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:11:44.524{89C4FCAF-4002-6387-1000-000000009402}400C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 23542300x800000000000000033179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:45.124{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69856639455817EDC5BF39FBAE89B07D,SHA256=56768872037E6C372A49FDC88891B88F05BE2BA3F569010DE05B08CDF657D97E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:42.910{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local64146- 354300x800000000000000083104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:42.910{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local58537- 354300x800000000000000083103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:42.525{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50766-false10.0.1.12-8000- 23542300x800000000000000033180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:46.227{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215B0023FA67DBA0B0CE335256E939F1,SHA256=ABD212ECB81DE71A63AC15B71C9653776709492EAB47A8CE1AFBA3AAC1DD6526,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:46.991{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1000-000000009402}400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:46.974{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0F00-000000009402}356C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:46.955{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0E00-000000009402}1000C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:46.941{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0D00-000000009402}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:46.932{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4001-6387-0C00-000000009402}840C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:46.866{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:46.863{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0900-000000009402}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000083106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:46.001{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE89D953F1FDCC6F2F51796E4567F703,SHA256=6D4EE2BF07D9FB07F0A45D3231ADC701501A8FCA7E1E47E2F86ACB6479D5607B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:47.579{1060B4B3-4261-6387-1C00-000000009502}1984NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-02f395d688d6dc534\channels\health\respondent-20221130114540-083MD5=421A2730ADAE3A660BE9B98FCB42BB32,SHA256=DD9501AE8159B049E06ACD4F3040B1765B6D21D365832970C0A6F127BF3F7749,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:44.530{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50714-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:47.299{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C506859324B94CA3726373F97267576,SHA256=BAA75BC927FF4DFE7BBB468B0EC79F17360674E8A8E4B2CF9A6932E5FB102846,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.610{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2900-000000009402}2684C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.604{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.599{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.596{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2300-000000009402}2520C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000083128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.120{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3EE453D3C81297838AC0B42EA9C0FD,SHA256=10BD7034E236AD18AE1CA9412D1511812BC3905815991E0BCCEF0EA6E8A99985,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.113{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.110{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2100-000000009402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.109{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2000-000000009402}2464C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.096{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.089{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1E00-000000009402}2376C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.086{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-400B-6387-1C00-000000009402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.084{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4003-6387-1900-000000009402}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.081{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1700-000000009402}1428C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.053{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.045{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1500-000000009402}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.028{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1400-000000009402}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.021{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1300-000000009402}352C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.014{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1200-000000009402}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000033184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:47.122{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:47.122{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:47.122{1060B4B3-4260-6387-0B00-000000009502}6123568C:\Windows\system32\lsass.exe{1060B4B3-4261-6387-1100-000000009502}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:47.105{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1D00-000000009502}2004C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.003{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1100-000000009402}476C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000033189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:48.607{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98140CBF2F47EA7ABA5B85A11AD4AF30,SHA256=FDB82250A83FE35CE7E8BB5E6681DAFE6AE29B359DA379B235526F052F1C357A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:48.590{1060B4B3-4261-6387-1C00-000000009502}1984NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-02f395d688d6dc534\channels\health\surveyor-20221130114537-084MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:48.053{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9BA3B58557FF12920B5A1857E118937,SHA256=F390939F68B3B5919F0E4F67C4F0B2A688B391E3CB5DA0722444554BC7DFE028,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:49.731{1060B4B3-5695-6387-8A05-000000009502}22481700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:49.692{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09E4B0EB1F05BAE03761F060D8FBA53,SHA256=37C03ED482D2542615E5FA0896C33B22C8402C6E915FCCFA3549A868328F7951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:49.536{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-5695-6387-8A05-000000009502}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:49.536{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:49.536{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:49.536{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:49.536{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:49.536{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:49.536{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:49.536{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:49.536{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:49.536{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:49.536{1060B4B3-4260-6387-0500-000000009502}396932C:\Windows\system32\csrss.exe{1060B4B3-5695-6387-8A05-000000009502}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:49.536{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-5695-6387-8A05-000000009502}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:49.537{1060B4B3-5695-6387-8A05-000000009502}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:49.623{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4011-6387-3100-000000009402}3220C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:49.621{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2A00-000000009402}2904C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000083134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:49.089{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F8B3975CB99D89727B15742C7CAB21,SHA256=58C1C52AF1910F9D6B301AFE728CC3B2813D3D07C9B468C6B1811421CB41478B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.784{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1383D243C65C8644CC5E83D003554EBB,SHA256=792CC48698DBE46140D6F02A266511DD9A0B490D28E00350FE67B1939B5586EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.773{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-5696-6387-8C05-000000009502}672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.772{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.772{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.772{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.772{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.772{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.772{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.772{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.771{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.771{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.771{1060B4B3-4260-6387-0500-000000009502}396512C:\Windows\system32\csrss.exe{1060B4B3-5696-6387-8C05-000000009502}672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.771{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-5696-6387-8C05-000000009502}672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.770{1060B4B3-5696-6387-8C05-000000009502}672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.351{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5497-6387-FC07-000000009402}5472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.349{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FB07-000000009402}6060C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.344{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FA07-000000009402}6804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.340{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-F907-000000009402}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.337{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5494-6387-F807-000000009402}6900C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.327{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F1-6387-DA07-000000009402}952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.321{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D707-000000009402}1396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.316{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D607-000000009402}6984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.312{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D507-000000009402}5132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.302{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D307-000000009402}2424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.300{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D207-000000009402}4456C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.273{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.272{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4AC9-6387-B406-000000009402}4460C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.270{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-AA06-000000009402}6936C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.270{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-A906-000000009402}5612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.269{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A56-6387-A006-000000009402}5072C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.260{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C7-6387-1906-000000009402}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.228{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.189{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.181{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FD05-000000009402}3232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.170{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FA05-000000009402}3028C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.165{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B6-6387-F605-000000009402}576C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.163{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B5-6387-F405-000000009402}4520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000083148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.159{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E0E05DCFEEB6103BD5A230A295AA59C,SHA256=41BC996DCD7BA7EC60451F933F46AE713EE690021CA02C89875E0B3CF086A9B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.158{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-409C-6387-FF00-000000009402}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.154{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.154{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B900-000000009402}3188C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.150{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.147{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408A-6387-AA00-000000009402}2556C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.146{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7700-000000009402}2080C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.145{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7600-000000009402}3832C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.144{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7500-000000009402}500C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.143{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7400-000000009402}420C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.142{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3E00-000000009402}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000083137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:50.139{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3A00-000000009402}3484C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000033218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.669{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A9410302CC65F5FDF7BE4021B664094,SHA256=17089A995DA45C88FAA04DA83DF223636C9A8532433907C53C0B0B8DE35A4D12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.157{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-5696-6387-8B05-000000009502}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.157{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.157{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.157{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.157{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.157{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.157{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.157{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.157{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.157{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.157{1060B4B3-4260-6387-0500-000000009502}396412C:\Windows\system32\csrss.exe{1060B4B3-5696-6387-8B05-000000009502}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.157{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-5696-6387-8B05-000000009502}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:50.159{1060B4B3-5696-6387-8B05-000000009502}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:51.933{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874932C659CC451CA80CAAEF9C16727C,SHA256=24CE45FF2A586A12288B87EC9D6DAD4F9F48DEEEE68AB1C97B501F192BE05876,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:51.769{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-5697-6387-8D05-000000009502}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:51.525{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B1D1D9CFC01F363BC49F2249BC6654,SHA256=9B09CA6C39BCECD42EEDF26E516D6871559E8AAF4D0757099E34986CED8D4494,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:51.767{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:51.767{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:51.767{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:51.767{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:51.767{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:51.767{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:51.767{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:51.766{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:51.766{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:51.766{1060B4B3-4260-6387-0500-000000009502}396412C:\Windows\system32\csrss.exe{1060B4B3-5697-6387-8D05-000000009502}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:51.766{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-5697-6387-8D05-000000009502}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:51.765{1060B4B3-5697-6387-8D05-000000009502}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:51.754{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C1B23E250F7C23AEFA8B06F24480FAF1,SHA256=8A470A831E487E102837F46F454BCC90B1C5EC3C5376722DA72760171B6076A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:51.029{1060B4B3-42DB-6387-9B00-000000009502}2808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0DA77F6A804D99E21D2D0258198F735E,SHA256=9FCDEB61CE69ECD6C255F6721C52F56527A5EBEF2EB32F3DBE0F5C8A064ABE57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:47.574{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50767-false10.0.1.12-8000- 354300x800000000000000033265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:49.544{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50715-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:52.845{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081C5A4137CC8FAD0CCBD6204A112769,SHA256=D1FF59343D3AFB399D50127F2682FA6CD468436FF46C320EDFD866188330C129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:52.728{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57806F312AA1D41C80326EC0344CF97B,SHA256=7A674087964C6A14481AC1A83FD05FF5AD62993D67F1B220E1F31D15C6B9A3C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:52.659{1060B4B3-5698-6387-8E05-000000009502}3388664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:52.457{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-5698-6387-8E05-000000009502}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:52.457{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:52.457{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:52.457{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:52.457{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:52.457{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:52.457{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:52.457{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:52.457{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:52.457{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:52.457{1060B4B3-4260-6387-0500-000000009502}396932C:\Windows\system32\csrss.exe{1060B4B3-5698-6387-8E05-000000009502}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:52.457{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-5698-6387-8E05-000000009502}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:52.458{1060B4B3-5698-6387-8E05-000000009502}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:52.028{1060B4B3-5697-6387-8D05-000000009502}37401496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:53.939{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C9FFEA08FFB8A9F9FD3E478CAD6292,SHA256=FE8AF8958237C0CF69D1DF26F8A86BD7214029AFDFA4DD5FE6AC1E81B750BAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:53.748{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84EDB81945DDB5DF94137A1A07FDB7BE,SHA256=A4B5FB51F9974F2D8CA946AFB0EBA2D81A08E7C26B1CC4BE584EA271AE61AD16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:53.267{1060B4B3-5699-6387-8F05-000000009502}32242432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:53.063{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-5699-6387-8F05-000000009502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:53.063{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:53.063{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:53.063{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:53.063{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:53.063{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:53.063{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:53.063{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:53.063{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:53.063{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:53.063{1060B4B3-4260-6387-0500-000000009502}396412C:\Windows\system32\csrss.exe{1060B4B3-5699-6387-8F05-000000009502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:53.063{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-5699-6387-8F05-000000009502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:53.065{1060B4B3-5699-6387-8F05-000000009502}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:54.801{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF97B153A60A7CF7C9CEC8DA7B1DB7C5,SHA256=E40FE8B85DF4746D1B766833FFE59595D56697AF27E9A2B0037084970C7FC1F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:54.059{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-569A-6387-9005-000000009502}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:54.059{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:54.059{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:54.059{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:54.059{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:54.059{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:54.059{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:54.059{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:54.059{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:54.059{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:54.059{1060B4B3-4260-6387-0500-000000009502}396512C:\Windows\system32\csrss.exe{1060B4B3-569A-6387-9005-000000009502}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:54.059{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-569A-6387-9005-000000009502}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:54.059{1060B4B3-569A-6387-9005-000000009502}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:55.852{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054DB24807F3852DA6ACED4158B5D1B4,SHA256=E84E542A1FBBF03145830C948B0B0EEF2100761AD3C0436729045515B95B4CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:55.138{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5E60BFE99EC8F3272B71D1A7BBA12F,SHA256=A5E891B0F25F26D44030980B2A749A5116D995D2213B4BA930FA4E781F0157B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:56.892{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3609A73417C7CDC9124F8B7DBEC981EF,SHA256=7C99D27BDBC77A025426BB8A95D797BA419BEA3FD9F608D878EB3260743AE495,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:54.556{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50716-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:56.324{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82FCB0923B92E74D7CBF81120882DF5,SHA256=87FE0DADCB7221AC3D73C1DA7A2B6B461E3F8260A7CAE363016E66FB9E8EC018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:57.971{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB29115D60EC4B790DD2ACD24F4F929,SHA256=96024F94391B2F1E515940272185EC622330C9FECAE45A66A19356DBF31FDC3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:57.408{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B391073888EF4A33A6E47C6FEAD8EE,SHA256=A65A5413434D67118EC8B60D661179B2F7BB0EC433E4A30885D9F08ED5D8CE4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:53.503{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50768-false10.0.1.12-8000- 23542300x800000000000000033298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:58.495{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D640777660890EC683A072989E5B1E73,SHA256=B0557D85B4871FF95BBAED314FB92A221403D9C6A052226E16343F1C2E60104B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:11:59.584{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D8F6FC1583EB45F7E202E347B5F0C7,SHA256=7871A50FCA955794736BE174CA718E2ADDC6EAD015C016833510BA1B73AA8C2B,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.859{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000083279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.859{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000083278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.859{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000083277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.859{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000083276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.859{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000083275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.859{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000083274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.859{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000083273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.859{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000083272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000083271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000083267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000083266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000083265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000083264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000083262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000083261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000083260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000083259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000083258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000083257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000083256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000083255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000083254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000083253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000083252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000083251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000083249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000083248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000083247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000083246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000083245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000083244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000083241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000083239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-3FFF-6387-0500-000000009402}408524C:\Windows\system32\csrss.exe{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.841{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.842{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.411{89C4FCAF-569F-6387-3508-000000009402}41601220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.411{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000083230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.411{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000083229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.209{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000083228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.209{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000083227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.193{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000083226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.193{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000083225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.193{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000083224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.193{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000083223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.193{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000083222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.193{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000083221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.193{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000083220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.193{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000083219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.193{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000083218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.193{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000083217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.193{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000083216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.193{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000083215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.193{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000083214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000083213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000083212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000083211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000083210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000083209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000083208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000083207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000083206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000083205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000083200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000083199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000083198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000083197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000083196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000083195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000083193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000083190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000083188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-3FFF-6387-0500-000000009402}408424C:\Windows\system32\csrss.exe{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.177{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.174{89C4FCAF-569F-6387-3508-000000009402}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.009{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E6DC403EBD685B90E176A927DEC873,SHA256=B8E1DF8AC0EB3F9E5B1DA104A9AFCA86410D2FBB24E7015FEB16DB67D592B25D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:00.673{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBEA56487CF0C3932ED4826F6245411,SHA256=9B60A63C4025FC1A9DAA2E737FC9617418C4603E91528F73C4D2A1007324E86F,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.712{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000083341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.712{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000083340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.712{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000083339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.528{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000083338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.528{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000083337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.528{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000083336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.528{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000083335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.528{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000083334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.528{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000083333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.528{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000083332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.528{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000083331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.528{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000083330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.528{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000083329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000083325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000083324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000083323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000083322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000083321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000083320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000083319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000083318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000083317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000083316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000083315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000083314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000083313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000083312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000083310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000083309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000083308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000083307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000083306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000083305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000083304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000083303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000083302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000083301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000083299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000083296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000083294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-3FFF-6387-0500-000000009402}408524C:\Windows\system32\csrss.exe{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.512{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.513{89C4FCAF-56A0-6387-3708-000000009402}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.327{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AEFB97D7F4FD1BA86F181A50FDDFF9B,SHA256=70E6C8DCC9FC885AA41BBC761CC8D827EC1DC65044420F8165A7AFFABAE50244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.311{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB807A8BA8E1949A4E53DDB3605B9635,SHA256=D395DCD70254FB903C35D3B8FAEF20925DE0BD55370EFE3735A0A229747C9F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.311{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A518DBA19D6419A1BECE8CFBB5EB9C24,SHA256=3EE552F6FFD5201A032054D7E3D4BF3DA696A97AE22143BB75925A2CA19F05C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.276{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=05EB44C4D3D32F784185C9D77DE8C840,SHA256=EB8C76BDF24467B2A7E1AC22C530D247B10965AFB2564533952E6464E43FAE52,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.067{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000083282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.066{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000083281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:00.065{89C4FCAF-569F-6387-3608-000000009402}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000033301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:01.780{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8E1AA544B449AEF28D29F032ACA6B6,SHA256=5CD439877985294FDF54BAEF1B8C12FCC3A78950587CF53457794CA1D76C3D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:01.443{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6A1A57AEC11B6597335FED68150D9D,SHA256=7F95AC98A6DFE523FCB7FB0B498481DC69F8D97005F1B858E119A121280BE171,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000083344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:01.139{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000083343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:01.139{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x800000000000000033302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:02.869{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9599710670AC0B2D65049163A1C54387,SHA256=C83687FD652BC0C84ACC91719C1FB8F1DDEF86B1B2C81E14822E456D9ADB116B,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000083377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000083376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000083375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000083374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000083373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000083372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000083371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000083370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000083369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000083368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000083367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000083366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000083364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000083363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000083362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000083361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000083360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000083357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000083355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.980{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.980{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.980{89C4FCAF-3FFF-6387-0500-000000009402}408612C:\Windows\system32\csrss.exe{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.980{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.980{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.980{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.981{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.463{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93E9ECE401B2D5EFDE261E1073248A9,SHA256=F2BE81425B1AF3A55557003489DD83C1788E18137DF8A13699D5C8C89B1F9B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.178{89C4FCAF-408D-6387-B500-000000009402}4948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FAEF518D17767F365537BF4D3001FD5D,SHA256=7A87786068126A03055C8465A11D2576BEA680E19CD8E6C4B596FE7E32F4F86F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:58.529{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50769-false10.0.1.12-8000- 23542300x800000000000000033304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:03.967{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20566ED001C0C28B5F7A822E545EF557,SHA256=108D056669510A288C02EA855480C5866F2B0E7051BD31775D4F5BF532FECEA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.876{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CDC6437BDA7D4D21303C416D3B10E4,SHA256=54E77B5E98CD5BB1C9B9FFF566A7B5081D633745D07CB9CC115A6DF7DED117E8,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.872{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000083454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.872{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000083453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.872{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000083452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.872{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000083451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.856{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000083450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.856{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000083449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.856{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000083448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.856{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000083447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000083446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000083442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000083441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000083439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000083438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000083437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000083436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000083435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000083434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000083433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000083432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000083431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000083430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000083429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000083428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000083427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000083426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000083424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000083423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000083422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000083421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000083420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000083417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000083415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-3FFF-6387-0500-000000009402}408424C:\Windows\system32\csrss.exe{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.838{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.839{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000033303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:00.479{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50717-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x800000000000000083408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.446{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000083407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.445{89C4FCAF-56A2-6387-3808-000000009402}46246656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.434{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000083405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.433{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000083404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.523{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local50770-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local389ldap 354300x800000000000000083403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:11:59.523{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local50770-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local389ldap 10341000x800000000000000083402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.106{89C4FCAF-46C6-6387-1806-000000009402}51965492C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80F10) 10341000x800000000000000083401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.106{89C4FCAF-46C6-6387-1806-000000009402}51965492C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80F10) 10341000x800000000000000083400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.106{89C4FCAF-46C6-6387-1806-000000009402}51965492C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80F10) 10341000x800000000000000083399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.105{89C4FCAF-46C6-6387-1806-000000009402}51965492C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80F10) 10341000x800000000000000083398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.104{89C4FCAF-46C6-6387-1806-000000009402}51965492C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80F10) 10341000x800000000000000083397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.104{89C4FCAF-46C6-6387-1806-000000009402}51965492C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80F10) 734700x800000000000000083396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.031{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000083395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.031{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000083394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.031{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000083393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.031{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000083392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.016{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000083391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.016{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000083390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.016{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000083389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.016{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000083388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.000{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000083387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.000{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.000{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.000{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000083383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000083382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000083381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000083380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:02.985{89C4FCAF-56A2-6387-3808-000000009402}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000083514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.965{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000083513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.965{89C4FCAF-56A4-6387-3A08-000000009402}60965176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.965{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000083511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.965{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000033335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.419{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-480B-6387-D603-000000009502}3964C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.415{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E9-6387-E800-000000009502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.412{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.407{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A200-000000009502}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.404{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A000-000000009502}2456C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.400{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.399{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5C00-000000009502}4048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.399{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5B00-000000009502}4036C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.397{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3C00-000000009502}2992C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.392{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3800-000000009502}2700C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.389{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4262-6387-2D00-000000009502}2764C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.386{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-2000-000000009502}2236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.381{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1F00-000000009502}1432C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.377{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1E00-000000009502}2012C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.371{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1C00-000000009502}1984C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.340{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.335{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1800-000000009502}1792C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.331{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1700-000000009502}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.302{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1600-000000009502}1244C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.296{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1500-000000009502}1128C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.286{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1400-000000009502}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.278{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1300-000000009502}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.268{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1200-000000009502}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.236{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1100-000000009502}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.229{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1000-000000009502}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.221{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0F00-000000009502}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.209{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0E00-000000009502}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.203{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0D00-000000009502}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.195{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0C00-000000009502}708C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.185{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:04.181{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0900-000000009502}552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 734700x800000000000000083510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.715{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000083509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.699{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000083508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.699{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000083507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.699{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000083506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.699{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000083505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.699{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000083504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.699{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000083503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.699{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000083502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000083501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000083497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000083496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000083495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000083494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000083492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000083491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000083490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000083489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000083488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000083487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000083486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000083485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000083484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000083483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000083482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000083481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000083479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000083478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000083477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000083476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000083475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000083472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000083470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-3FFF-6387-0500-000000009402}408424C:\Windows\system32\csrss.exe{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.680{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.681{89C4FCAF-56A4-6387-3A08-000000009402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000083463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.181{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000083462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.180{89C4FCAF-56A3-6387-3908-000000009402}68761780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.180{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000083460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.179{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x800000000000000083459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.144{89C4FCAF-46C6-6387-1806-000000009402}51965492C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80F10) 10341000x800000000000000083458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.144{89C4FCAF-46C6-6387-1806-000000009402}51965492C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80F10) 10341000x800000000000000083457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:04.144{89C4FCAF-46C6-6387-1806-000000009402}51965492C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-56A3-6387-3908-000000009402}6876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80F10) 23542300x800000000000000033336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:05.277{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE61A7DC90F4E6DC85E20EF2349B54B4,SHA256=759003438D19453F8CAE2453930F89FF3675030D7B5025E38FA1D52827325DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.737{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE1DD1B6F45D52D05B673D53B7C84CE4,SHA256=B145038CA046399FDAF30245C01454A0D12415B9450DEB118F696A409A2A7AED,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.583{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000083566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.568{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000083565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.568{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000083564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.367{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000083563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.367{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000083562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.367{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000083561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.367{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000083560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.367{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000083559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.367{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000083558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.367{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000083557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000083556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000083555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000083554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000083553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5501 (rs1_release.221103-1703)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=C7322EC55BB24A89D05C0F35265AD4A6,SHA256=D2645D88D5969C72D3F437094254F167EC574706C4934385F3241E78F172DFE4,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x800000000000000083551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000083550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000083548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000083547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000083546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000083544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000083543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000083542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000083541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000083540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000083539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000083538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000083537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000083536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000083535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000083533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000083532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000083531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000083530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000083528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000083525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000083523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-3FFF-6387-0500-000000009402}408612C:\Windows\system32\csrss.exe{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.352{89C4FCAF-56A5-6387-3B08-000000009402}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.163{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E765B652D3776CF7C125B87759D61464,SHA256=E78BBF8D354B6BD45D2F00BEF86B09C72D19BC9402BBFE7DE162D2992C485253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:05.159{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B23CAF9590C07B97F6A468AD8C0C35,SHA256=D5C9ACB26FF645FC257449BCF3C93E9222D7C7161AEBC3739E1186A6B5E094AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:06.356{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A73DBC33863BEBACAF689C55EE92A40,SHA256=0F4F9961CEFFD2AA91CE1E364263AD13EA336045784157721B131EC4DD44FDDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:06.997{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0E00-000000009402}1000C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:06.982{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0D00-000000009402}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:06.966{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4001-6387-0C00-000000009402}840C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:06.859{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:06.855{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0900-000000009402}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000083569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:06.218{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3481317970D77F2E0D5877D9F91D863A,SHA256=42624049964547A214B48C9742D69B7D6E672EFA6EBEF1134E05034E43C10A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:07.432{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABDEB6ACCEA0A48C5338BACAF392017,SHA256=BD475E63C498C6D01983EA8BF897AF76841B7783ADEAEFDAF28EF21E635E151C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.798{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2900-000000009402}2684C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.787{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.781{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.778{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2300-000000009402}2520C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000083592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.268{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3856AC24DAAD845159586F95BCD4D82,SHA256=F38BC2D3D6639AF98DBA9EC61BD60FCF167C73F524F89820C094B907A93470DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:03.534{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50771-false10.0.1.12-8000- 10341000x800000000000000083590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.143{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.140{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2100-000000009402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.137{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2000-000000009402}2464C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.123{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.113{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1E00-000000009402}2376C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.110{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-400B-6387-1C00-000000009402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.108{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4003-6387-1900-000000009402}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.106{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1700-000000009402}1428C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.071{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.065{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1500-000000009402}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.051{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1400-000000009402}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.046{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1300-000000009402}352C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.036{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1200-000000009402}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.027{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1100-000000009402}476C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.016{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1000-000000009402}400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:07.005{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0F00-000000009402}356C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000033340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:08.508{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8426823E83FB9762F84A8E70CC51BED9,SHA256=37965D9B4898C012D49789F147FE3DE42F252AC3A3916851BA7672341294CE1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:08.305{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53B184EC2DA8996DC33FAA974221B02,SHA256=53ADBD559271970840F3199448043FB3A10D9D36B497F9F1CA9B1C062437DFBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:05.508{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50718-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:09.596{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3726F04E573C98A5476C44AAE66A74AB,SHA256=8C97B2883CD2401EA86B93B74940E267FC0761828B3A24D71DA9EBEE6EE72518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:09.812{89C4FCAF-4010-6387-2100-000000009402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0ad278f1b123f456b\channels\health\respondent-20221130113546-093MD5=4367FEF3D0B44A451D14676E8838B8C6,SHA256=A57E514C51A9299EE718F8B114501F94A24E2C8835ECD359B7D2BBD0A7C75EC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:09.808{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4011-6387-3100-000000009402}3220C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:09.806{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2A00-000000009402}2904C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000083598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:09.459{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386D60406165E548BB9E3A9A75E3B9A7,SHA256=22C6BA7B17EC0C845E7730457B3CB0FE20C0E4E3F48912A1B07F655C7FFD29A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:10.686{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA87ED9A58B9AF1EA142776DB676154,SHA256=E9CAFF80315032BEE2A3D791D425916D57437532F8222AF31017B2EF412B1F1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.809{89C4FCAF-4010-6387-2100-000000009402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0ad278f1b123f456b\channels\health\surveyor-20221130113544-094MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.626{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5497-6387-FC07-000000009402}5472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.620{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FB07-000000009402}6060C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.612{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FA07-000000009402}6804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.603{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-F907-000000009402}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.598{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5494-6387-F807-000000009402}6900C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.568{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F1-6387-DA07-000000009402}952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.558{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D707-000000009402}1396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.554{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D607-000000009402}6984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.548{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D507-000000009402}5132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000083656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.535{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF437BD3FE21D0856A6E1436AB0A3169,SHA256=B30239B7C70DBD26836C0303B0EC9F013A70C207B4D1313F9791A32E4661A1FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.523{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D307-000000009402}2424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.519{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D207-000000009402}4456C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.472{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.466{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46C7-6387-1906-000000009402}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.466{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46C7-6387-1906-000000009402}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.466{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46C7-6387-1906-000000009402}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.466{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.466{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.466{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.463{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4AC9-6387-B406-000000009402}4460C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.466{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.463{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.463{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.463{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.463{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.463{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.463{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.463{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.463{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.463{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-AA06-000000009402}6936C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.463{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.463{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.462{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.462{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.462{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-A906-000000009402}5612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.462{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.462{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.462{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.462{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.462{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.462{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.462{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.462{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.462{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.462{89C4FCAF-4002-6387-0D00-000000009402}904924C:\Windows\system32\svchost.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+452d0|c:\windows\system32\rpcss.dll+456c2|c:\windows\system32\rpcss.dll+47fcf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.460{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A56-6387-A006-000000009402}5072C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.446{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C7-6387-1906-000000009402}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.421{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.382{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.373{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FD05-000000009402}3232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.359{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FA05-000000009402}3028C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.353{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B6-6387-F605-000000009402}576C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.351{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B5-6387-F405-000000009402}4520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.348{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-409C-6387-FF00-000000009402}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.345{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.343{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B900-000000009402}3188C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.338{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.335{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408A-6387-AA00-000000009402}2556C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.334{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7700-000000009402}2080C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.333{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7600-000000009402}3832C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.332{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7500-000000009402}500C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.330{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7400-000000009402}420C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.329{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3E00-000000009402}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000083602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.326{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3A00-000000009402}3484C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000033343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:11.749{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764BBDD789EB2DA5206AC64C1CD58F47,SHA256=F77537B34E694D40F330B5A1FF79308710C29FE3C2819B7334CF23F427BCC550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:11.627{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6D545A56FB33FD39C290BED54FAD38,SHA256=6B311A7787C9B6DEE7AC2BC8E209ECF1054933E4E3C29220FD9C07376E5F2CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:12.945{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5EFFC2A707A51E2D19CDC6E6F6E465,SHA256=CECB75BB05071C19B23FEC26421ECF690719039748B853BD4A5D947DCC22D7F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:12.750{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE2E8A48A017050FB64A98234309C25C,SHA256=429EA7C70FDF923F35A462ABD9994AE4CB888D9D63227A62135A2F79C7BEEF52,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:09.592{1060B4B3-4261-6387-1200-000000009502}988C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:18fa:1bfd:f5ff:fef0win-host-ctus-attack-range-635546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x800000000000000083669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:08.547{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50772-false10.0.1.12-8000- 23542300x800000000000000083668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:12.032{89C4FCAF-408D-6387-B500-000000009402}4948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=75B55EA0C6DD224E71E588081A876538,SHA256=D68BFA6F8DD7813E5BF73DAB1FA1C75178EE825D1972714ACA959E6B3481B0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:13.832{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333F77CCA5B96082FBD680D437C18A2A,SHA256=1AE9D0EC8645D32C7FA4B5B80D8B5074C27DF98D818CFEEB6C1657AEE015759D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:13.578{1060B4B3-42DB-6387-9B00-000000009502}2808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=75B55EA0C6DD224E71E588081A876538,SHA256=D68BFA6F8DD7813E5BF73DAB1FA1C75178EE825D1972714ACA959E6B3481B0A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:11.538{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50719-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:14.137{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F2FACFBDED540BFA0F4F492C2F70D41,SHA256=AA77BA02842C90CB5317B16494719156CD79B8DA4F1A525C73E2F497A4846205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:14.980{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635A59B7F3A66F4E092DF3DA25DCABA5,SHA256=FB4BB36541A14FDC036BDDA6531C373CDC2A99B6D5427C883146FCF0E383CBEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:10.392{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50773-false10.0.1.12-8089- 354300x800000000000000033350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:12.887{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50720-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000033349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:15.331{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6937C2C7B9DD38E41E4DB36BEAAEC1FD,SHA256=0262D4AF46A24DB96E47D445C236354E982C68CA2499717FDE4BB865461DC164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:16.416{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB5B9F7A66A218594761BEF385F2A73,SHA256=786C99166768DE6DC9331BF014C8D0083B820D848D41489DF931D32F7611DA48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:16.021{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120B5911BD5CD283D4FADA1794216C8B,SHA256=1B817FDB54CC15589F885B8B1104A5A4DBC9BD1534AA1A8EA918C30BE84716E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:17.489{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBEA0102D4772000C221C5F0E4E6AF4,SHA256=2ABEFD7F5FC1FC39ECC8586AB837B08E4EB96ED8045179E07E87C835EA2D6BB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:14.539{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50774-false10.0.1.12-8000- 23542300x800000000000000083675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:17.140{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1BA96F1230FFFE873BC326E1E5D727,SHA256=B9910CE0D723DE4DCCC2D3B014B73552662B8A5ABFDC8FFB2E3C2CDAC2E32A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:18.696{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49791B7028D747638471873049241E44,SHA256=727D090DB39EE86645A5A64AAF1720F3160A6261071F992D42C6234B135577EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:18.181{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D942D9D62709887CDBECAC68A937FEF3,SHA256=87BC5310189C6FD01F88B95CC2A649EA0BE2C1694C35579B4768DA2008A706B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:19.786{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30C1AB994AE1EE5070EEAC2C8B4D8B5,SHA256=2ADA10FC6D7F84D92822C8D38AA9682A4CDC485E7D9A7F43A8477B7EEC070959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:19.201{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9601B7212C3593B078ECC24ABE3442,SHA256=642C1F6AC15DDD01A7EEF0585D4D559F21E3416DB27649E708DFCB87C658524D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:20.872{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD1361EFFF83516B7FFAB30F372E645C,SHA256=B3100ED31D903516A1F6D5F044215FB41C89BFBD35694447784C328D16DECF1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:20.332{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFD120CD71A2026FED4B2A38115D38B,SHA256=493F3EDA23F513E0DA3F65BC2FC9C5EEA978E5E82F4FF10044E9E683AD1D32EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:17.544{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50721-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:21.970{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2940B66B67ACE7E22CB221A519C51E84,SHA256=E8380D5AA28AB288393F5E35CAC7386C93CF92A51E84113FCC05308D7FF8A5A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:21.471{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3CEF2C7CE1A4ACBE472CFD8AD39483,SHA256=643DA0A7F503096AA5D11E668B8593E2FF3991AD3226260B635F1EF79614DACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:21.186{1060B4B3-42DB-6387-9B00-000000009502}2808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0F011484715B1EF0E3C4E79CDA235046,SHA256=DB286612B651AD5ABADB4537A5D76C875AA92AC932C98112A263B37740382886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:22.505{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3657B62816095FF54366AACA3A0E30F9,SHA256=6403D1218019D6E89ACBA39983D947847903C516828125AB1DFD4F42D848B664,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:19.583{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50775-false10.0.1.12-8000- 23542300x800000000000000083683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:23.555{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44AC960E61686A43FB6D95AD8B6B09D,SHA256=F6257E14E53D487DC29061CCBF66177246B1044CE28E8C9CFA58B16F293B2719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:23.261{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4165A521E27D6D03398DF3C3061D9E9F,SHA256=B803EFEACF08707C1060AF69EDE226AEDBB88E0A19CF2DCDCB733A6B36D154BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:24.609{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4FAC19C3E85620E6011A45D3A83F437,SHA256=DF25FCEBC16605AC34BB11837949129D5556EA68967B810FCEF6A9B45C9B8C1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.349{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-480B-6387-D603-000000009502}3964C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.345{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E9-6387-E800-000000009502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.343{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.341{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A200-000000009502}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 23542300x800000000000000033387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.340{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3C1FDD352F3C595A4AC9EF220D9D64,SHA256=702555010AA1044875D03DE1D28E0B2B231CA1A75CAE9E6F31A10F667AA5EAE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.340{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A000-000000009502}2456C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.336{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.336{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5C00-000000009502}4048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.335{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5B00-000000009502}4036C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.334{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3C00-000000009502}2992C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.331{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3800-000000009502}2700C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.330{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4262-6387-2D00-000000009502}2764C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.328{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-2000-000000009502}2236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.326{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1F00-000000009502}1432C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.324{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1E00-000000009502}2012C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.322{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1C00-000000009502}1984C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.312{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.304{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1800-000000009502}1792C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.300{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1700-000000009502}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.286{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1600-000000009502}1244C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.280{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1500-000000009502}1128C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.269{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1400-000000009502}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.258{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1300-000000009502}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.251{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1200-000000009502}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.226{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1100-000000009502}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.219{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1000-000000009502}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.209{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0F00-000000009502}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.202{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0E00-000000009502}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.197{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0D00-000000009502}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.190{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0C00-000000009502}708C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.181{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 10341000x800000000000000033360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:24.179{1060B4B3-4261-6387-1D00-000000009502}20042444C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0900-000000009502}552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012E803D0) 23542300x800000000000000083685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:25.660{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038380CECEE5ABA1D768EE755A336C04,SHA256=FA56E108DC83C6C1E349DD9B4EF8ED06C85E23DD48B14509DAF3029902207805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:25.324{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6DD2F8C96F011567BF51216746186A6,SHA256=71F081654C48791CD7546DE561AF186AF532BC91F800D265F8A32F62D635B0DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:23.490{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50722-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000083691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:26.996{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0E00-000000009402}1000C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:26.987{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0D00-000000009402}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:26.975{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4001-6387-0C00-000000009402}840C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:26.895{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:26.886{89C4FCAF-46C6-6387-1806-000000009402}51965292C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0900-000000009402}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000083686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:26.714{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87E59988F72E6E76B24690A057B31B2,SHA256=DC431706CA807CCB217CE24CCF3B6F5AEF3235188E55E140D5B651AEE3EFF778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:26.419{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C7922050925E1168DD557F1E6976F2,SHA256=50FA9DBB2BB49B3C3244539978A8414D50EBAC25BC3FE30B091F6F7FC04B9A4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.848{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207F4754A3C54CA0BC69389625FA07A6,SHA256=B9A1750C6625D69C50029090D878CEF5B4B149AD588DF848539DBD103AB8328F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:27.516{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008D5AE4B268A4C43A336077D092B4A0,SHA256=5A452C44A551B1DA254BBE8010B984ED44987FD3A7796662B5604BD313493C83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.657{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2900-000000009402}2684C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.652{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.645{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.642{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2300-000000009402}2520C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.156{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.154{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2100-000000009402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.153{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2000-000000009402}2464C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.139{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.129{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1E00-000000009402}2376C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.125{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-400B-6387-1C00-000000009402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.123{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4003-6387-1900-000000009402}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.120{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1700-000000009402}1428C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.089{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.083{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1500-000000009402}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.063{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1400-000000009402}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.052{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1300-000000009402}352C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.045{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1200-000000009402}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.025{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1100-000000009402}476C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.015{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1000-000000009402}400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:27.003{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0F00-000000009402}356C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000083713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:28.917{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE1EB9104CD674B9D8C0D5B887610F8,SHA256=FBD5E19C68B9DCFC1DD56C4C27EECDB413C04B396CE86E5D2D569C1605B8167C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:28.593{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC37E85886CDD3F5863EB523C5EF46A,SHA256=DE55EBF9298DFB27A819CC011577C9935FA25D450A3F79C5461822F7D68CC303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:29.681{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E26D11FF8D0E96E99710581D265EAD6D,SHA256=A3F02E52FAC36262F018D9D36C676086FA36D0F41BF5768947CE1FE5BC300635,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:29.688{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4011-6387-3100-000000009402}3220C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:29.686{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2A00-000000009402}2904C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 354300x800000000000000083745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:25.582{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50776-false10.0.1.12-8000- 12241200x800000000000000083744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.480{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.480{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.480{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.480{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.480{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.480{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.480{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 10341000x800000000000000083737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:29.480{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:29.480{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:29.480{89C4FCAF-3FFF-6387-0B00-000000009402}624672C:\Windows\system32\lsass.exe{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x800000000000000083734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.479{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.479{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.479{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.479{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.479{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.479{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.479{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.477{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.477{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.477{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.477{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000083723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.477{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 734700x800000000000000083722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:29.469{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000083721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:29.469{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000083720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:29.466{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000083719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:29.461{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 12241200x800000000000000083718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.461{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000083717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:12:29.461{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000083716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:29.461{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000083715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:29.461{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000083714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:29.460{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:30.789{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5A7D019842FAC4856BF6851FA44032,SHA256=15594885E63CC5463DDA9933581EF2E604A98CDF0FB4AF971B82378DAEB1F339,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.482{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5497-6387-FC07-000000009402}5472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.475{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FB07-000000009402}6060C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.473{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FA07-000000009402}6804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.469{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-F907-000000009402}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.466{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5494-6387-F807-000000009402}6900C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.460{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F1-6387-DA07-000000009402}952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.459{89C4FCAF-4002-6387-0D00-000000009402}9043436C:\Windows\system32\svchost.exe{89C4FCAF-4AC9-6387-B406-000000009402}4460C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.457{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D707-000000009402}1396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.453{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D607-000000009402}6984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.447{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D507-000000009402}5132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.437{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D307-000000009402}2424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.433{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D207-000000009402}4456C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.386{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.382{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4AC9-6387-B406-000000009402}4460C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.375{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-AA06-000000009402}6936C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.375{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-A906-000000009402}5612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.367{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A56-6387-A006-000000009402}5072C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.354{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C7-6387-1906-000000009402}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.330{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.291{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.279{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FD05-000000009402}3232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.262{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FA05-000000009402}3028C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.252{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B6-6387-F605-000000009402}576C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.249{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B5-6387-F405-000000009402}4520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000083759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.241{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E2A72BEE34F510A8E6B7DC9E3010063,SHA256=8EC65570C9CFCDE82C54C420DE5E647B8C009120CA24EB50EFE24FC5256D83B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.236{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-409C-6387-FF00-000000009402}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.232{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.231{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B900-000000009402}3188C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.219{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.215{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408A-6387-AA00-000000009402}2556C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.214{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7700-000000009402}2080C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.213{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7600-000000009402}3832C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.210{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7500-000000009402}500C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.209{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7400-000000009402}420C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.207{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3E00-000000009402}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.204{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3A00-000000009402}3484C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000033399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:31.860{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E8131D73977382CC1CF6764117EA04,SHA256=A75F3658153DED4E14A91C4DF412C33008408A93BA1E1A12C06CA14DF6D21EE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:31.770{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1B80B46D4296A643955FD501A1E5F4,SHA256=22A2038CEB2ED5B42215DA6E029698F594934F0157EEA904FADB2B9D078492D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:31.570{89C4FCAF-408D-6387-B500-000000009402}4948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2C069A69D73CB89CE58E983DB516DFF3,SHA256=273B2AC345E807263A8C39BFE132AEEF2873D07B56FD51C70748A8B9F9320CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:32.950{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=650BA811D107E980D0B6E75CB38C35F2,SHA256=B5952D0AF02C39AA2ADA39335C5C63AE60BADE3AF12B65BD720B67AFE0B68A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:32.724{89C4FCAF-4002-6387-1100-000000009402}476NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=185C00AAE8F152087CBC8032DBBB8C00,SHA256=64DA892CAEDD14EB9C810995DA58989CA35E41780F48B22C67F03B7CBD7703F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:32.624{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42CF3E9F97CE92F53BF81EED4BD608AA,SHA256=D6BAC613FD592AE7B11E6741B1136E39C419221C4043B2DD7F25DD601021120C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:29.443{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50723-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000083789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:33.659{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489DCDA32C9181A5713B67361086DCDA,SHA256=FF469AAB5374A62BDC0240A183DB75543BCA943C035EF9C4A3DBD202816DEC22,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:30.634{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50777-false10.0.1.12-8000- 23542300x800000000000000083790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:34.744{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00EC26D87C169FF529DC3C280591BDC,SHA256=CDD4E312A6833C97A3CE59E18E6C2E9305074FE44E259C9D11476153CFED2239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:34.138{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240AC38E81A175E0A21C9D60BE621B98,SHA256=233D31E0E22A0266BE54BF3F7FE7E8DDB3C76D7E7BC8B78073E644221BE83A81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:35.800{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0993B1B342347F22864D3EB2D93050A9,SHA256=2DAA0C8D4533F573CC44F61F927CA9265F250EE021B3D5283A98E53BE74A9B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:35.337{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02411BF823C53DAE67E6950E6F0CAD3B,SHA256=E610788F88698D8E044749955952A63C775EF68632B96F55564246DC0FFA041E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:36.849{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA03D8368AECF1234DC56988D1928F7,SHA256=3B5C6A549045AAF0B3CFB521B70A018FD96B39E9F8C7D3C2B5809DEFD5183CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:36.425{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601FD954A1740A84EE94A204A9C0C3C9,SHA256=1371E1748DD19ABD0231EA38401F29C378567B53F1F0960E3F8B344AA9A1DF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:37.921{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DA8F97B045D9C76159AE3977D1DF3A,SHA256=85540E476B0A961632E39A13358C4DD4C9945FF201D05B38B975FD06B33B317B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:37.712{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4560C2DCD80D41A17FF88C32E8E12314,SHA256=05192978EEAA6E54E9A79F5CC39B2D1EF6D1F223769189696A18DB03700D0E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:38.962{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867CD377A2AAEB47C6D500D48AEBAF99,SHA256=0A0EE476DDCE29148BB59BB07AF40D8C24429389FD092655089850D2BD04B325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:38.792{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3158123B30E75F7333079FD728D2842,SHA256=61763A2FB50B9F21587A75D0E50209A55B1756748C4F09E0DDD03E54408304AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:35.436{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50724-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:38.571{1060B4B3-4261-6387-1200-000000009502}988NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8A8172DC126A8A2103A4E74346D625D5,SHA256=CE7BF6AAC1404EAB97E612BA2E90EE2754990DED7253F5F5AB683354AC262AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:39.890{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06316B401CDE631863C22AEB0FAEBBF,SHA256=1044AC4CCAA7AF9C691D553FFEFE17203207FE4C57A53683953EB7D39BB053EE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000033418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-SetValue2022-11-30 13:12:39.407{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000033417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-SetValue2022-11-30 13:12:39.407{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004fbbed) 13241300x800000000000000033416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-SetValue2022-11-30 13:12:39.407{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d904b5-0x0a2e965b) 13241300x800000000000000033415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-SetValue2022-11-30 13:12:39.407{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d904bd-0x6bf2fe5b) 13241300x800000000000000033414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-SetValue2022-11-30 13:12:39.407{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904c5-0xcdb7665b) 13241300x800000000000000033413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-SetValue2022-11-30 13:12:39.407{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000033412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-SetValue2022-11-30 13:12:39.407{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004fbbed) 13241300x800000000000000033411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-SetValue2022-11-30 13:12:39.407{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d904b5-0x0a2e965b) 13241300x800000000000000033410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-SetValue2022-11-30 13:12:39.407{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d904bd-0x6bf2fe5b) 13241300x800000000000000033409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-SetValue2022-11-30 13:12:39.407{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d904c5-0xcdb7665b) 23542300x800000000000000033420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:40.971{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2006601ECDC450EC86644F583C78492A,SHA256=E0669F005B448ECE8C0133EAA2148B827ADA84A438401CD305E3966C5C9F668D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:36.531{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50778-false10.0.1.12-8000- 23542300x800000000000000083795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:40.108{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37CFB4CD01D7D977D7232B207C773C4,SHA256=6495557F9490C624C848D5B89C9352F6D4829A31F3B7A810F9775FF1B5C7223F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:41.690{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1500-000000009502}1128C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:41.690{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1500-000000009502}1128C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:41.690{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1500-000000009502}1128C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:41.175{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DF0107116586CF1674F0486ABC795D,SHA256=6EA5156DE5F19BD3BE40E5A86383259977C9D219136425BB1D7871C32EBAA4D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:42.213{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94AF402DC56A5BF263EEC28DD3165CF,SHA256=9ED24369C53B9A827851C32C9942CEB75855E4E76BDCB38077200BE9F16FC4E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:40.513{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50725-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:42.184{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46EBC646342815F82255468F33FA2E0A,SHA256=7E287952076F14199DB9ACCDC7EB2E2C515507C0AAADDDE6AF96D41D9D5628BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:43.388{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DDB416818C36A26B6008F976F492CF,SHA256=E721BB1E774736353B8E35156C3A2B5D38568C95F6E75CA16D0BF0BE89A050FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:43.363{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DBC813CF3D75E5BF0BA3F19802071A,SHA256=74EA8B027F877F24D354569FBC28D0D301EC589FF766CBFEC95AFAACAC2EB6FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.526{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68C0D4246FA48547AD8408328A15BBE,SHA256=A8ECB44FD6E38ADF09D904B5ECB17C292FC8D1225D6C8253771C98ED65A9051F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.400{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-480B-6387-D603-000000009502}3964C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.397{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E9-6387-E800-000000009502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 23542300x800000000000000083800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:44.400{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766141F7540AE78924768C13EB14B76A,SHA256=A226D6BD48C255423B6BDF1674E035EA9DF0D115CE76A859AF1C34A6B710EB07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.387{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.384{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A200-000000009502}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.383{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A000-000000009502}2456C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.380{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.379{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5C00-000000009502}4048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.377{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5B00-000000009502}4036C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.374{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3C00-000000009502}2992C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.372{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3800-000000009502}2700C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.371{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4262-6387-2D00-000000009502}2764C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.369{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-2000-000000009502}2236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.366{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1F00-000000009502}1432C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.364{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1E00-000000009502}2012C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.362{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1C00-000000009502}1984C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.350{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.342{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1800-000000009502}1792C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.339{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1700-000000009502}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.319{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1600-000000009502}1244C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.305{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1500-000000009502}1128C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.293{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1400-000000009502}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.286{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1300-000000009502}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.271{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1200-000000009502}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.247{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1100-000000009502}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.238{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1000-000000009502}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.233{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0F00-000000009502}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.222{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0E00-000000009502}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.215{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0D00-000000009502}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.210{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0C00-000000009502}708C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.200{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:44.198{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0900-000000009502}552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 23542300x800000000000000033459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:45.538{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED269DC71E1D73AFBE715C60E519D3DC,SHA256=FE1961AFCBA8F2D9247B7029E720C70EBFCF436EA8209C466B426F150FCF7D4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:42.544{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50779-false10.0.1.12-8000- 23542300x800000000000000083801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:45.478{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F97F12E5D1CB1DF0D30860A3141908B,SHA256=031A996256E86FDE3BC42851895F30CAC4AEB4733CA28285F5DF53B0D5B9919B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:46.723{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF604BD9CAC9AC38D74898BAB6F2532A,SHA256=4C03206991DD766BE5A9BAA78A941C826FC9EF7F616D2BC1DFF2060686F9F48B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:46.989{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1000-000000009402}400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:46.974{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0F00-000000009402}356C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:46.965{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0E00-000000009402}1000C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:46.952{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0D00-000000009402}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:46.938{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4001-6387-0C00-000000009402}840C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:46.879{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:46.876{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0900-000000009402}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000083803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:46.541{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4A89E9D1E336186C2B338D0FF47340,SHA256=E349E4C8D0328521B7DB80D583418DD83088A81EFCC00C02EB331F7E0BD4D218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:47.817{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6344E4386DAA58472BD6ABFE3028669,SHA256=D438840BAFECF9296C4AAC90A21EFBBC3301D3A4F4C908C9D6AFC2FC9335179F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.829{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2900-000000009402}2684C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.820{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.814{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.808{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2300-000000009402}2520C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000083825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.578{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DE94D049AA1A87F223C16A8E62D37F,SHA256=876B170B6FA6F50AD8A6F42971F4A6C0072E96644376EB8782E5D8F0F41B25F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:47.108{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1D00-000000009502}2004C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.141{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.137{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2100-000000009402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.133{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2000-000000009402}2464C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.116{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.106{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1E00-000000009402}2376C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.103{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-400B-6387-1C00-000000009402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.100{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4003-6387-1900-000000009402}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.097{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1700-000000009402}1428C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.058{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.048{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1500-000000009402}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.029{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1400-000000009402}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.022{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1300-000000009402}352C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.012{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1200-000000009402}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:47.002{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1100-000000009402}476C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000033463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:48.126{1060B4B3-4260-6387-0D00-000000009502}764828C:\Windows\system32\svchost.exe{1060B4B3-480B-6387-D603-000000009502}3964C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:48.913{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4002-6387-1500-000000009402}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:48.913{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4002-6387-1500-000000009402}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:48.912{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4002-6387-1500-000000009402}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000083830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:48.674{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99FCF27D28ED547121DD59146B5368D8,SHA256=1F27ABE80A26551A1C67358B1A0DE22F4C2994E55975E2E6F4EACAE359A6A8D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:49.863{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4011-6387-3100-000000009402}3220C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:49.860{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2A00-000000009402}2904C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000083834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:49.744{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278B47E1B391DD55010CA0C589B42A2A,SHA256=DBD8A66371ABBC2C8E8F7476E691B70547F69F1FDFE771B1851B24C0B7947BB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:49.650{1060B4B3-56D1-6387-9105-000000009502}38723016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:49.493{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-56D1-6387-9105-000000009502}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:49.493{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:49.493{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:49.493{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:49.493{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:49.493{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:49.493{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:49.493{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:49.493{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:49.493{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:49.493{1060B4B3-4260-6387-0500-000000009502}396512C:\Windows\system32\csrss.exe{1060B4B3-56D1-6387-9105-000000009502}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:49.493{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-56D1-6387-9105-000000009502}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:49.495{1060B4B3-56D1-6387-9105-000000009502}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:49.116{1060B4B3-4261-6387-1C00-000000009502}1984NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-02f395d688d6dc534\channels\health\respondent-20221130114540-084MD5=421A2730ADAE3A660BE9B98FCB42BB32,SHA256=DD9501AE8159B049E06ACD4F3040B1765B6D21D365832970C0A6F127BF3F7749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:49.004{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385ADBDB96F119EF4703F2153D76A8EB,SHA256=EC170BEF19F2577EA983BDF26EE4F4251238334B44EDC0B6D142525E85044BFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.667{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.667{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.667{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.667{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.667{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.667{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.667{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.667{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-56D2-6387-9305-000000009502}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.667{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.667{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.667{1060B4B3-4260-6387-0500-000000009502}396412C:\Windows\system32\csrss.exe{1060B4B3-56D2-6387-9305-000000009502}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.667{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-56D2-6387-9305-000000009502}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.668{1060B4B3-56D2-6387-9305-000000009502}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.626{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D9FF8542F58F37100F1B87CD003C821,SHA256=6BC7CA6BDDD198FBE9FDC827E3DB9C4FC2F5931F5EBB3B8E8A74AA849AE1E2C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.116{1060B4B3-4261-6387-1C00-000000009502}1984NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-02f395d688d6dc534\channels\health\surveyor-20221130114537-085MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.115{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-56D2-6387-9205-000000009502}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.113{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.113{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.113{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.113{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.113{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.113{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.112{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.112{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.112{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.112{1060B4B3-4260-6387-0500-000000009502}396412C:\Windows\system32\csrss.exe{1060B4B3-56D2-6387-9205-000000009502}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.112{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-56D2-6387-9205-000000009502}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.111{1060B4B3-56D2-6387-9205-000000009502}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:50.094{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50386BF04C1C410910E558C9BC2BC033,SHA256=C4CD2904638F30E92B62A1A938994995BE4C79ABDAF5BAA11220D35DAFC9C80D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:46.345{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50726-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000083870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.628{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5497-6387-FC07-000000009402}5472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.624{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FB07-000000009402}6060C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.617{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FA07-000000009402}6804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.612{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-F907-000000009402}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.607{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5494-6387-F807-000000009402}6900C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.599{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F1-6387-DA07-000000009402}952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.596{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D707-000000009402}1396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.592{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D607-000000009402}6984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.588{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D507-000000009402}5132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.578{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D307-000000009402}2424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.574{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D207-000000009402}4456C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.533{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.530{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4AC9-6387-B406-000000009402}4460C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.529{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-AA06-000000009402}6936C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.529{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-A906-000000009402}5612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.525{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A56-6387-A006-000000009402}5072C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.511{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C7-6387-1906-000000009402}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.496{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.449{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.432{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FD05-000000009402}3232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.418{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FA05-000000009402}3028C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.410{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B6-6387-F605-000000009402}576C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.407{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B5-6387-F405-000000009402}4520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.404{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-409C-6387-FF00-000000009402}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.399{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.397{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B900-000000009402}3188C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.391{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.389{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408A-6387-AA00-000000009402}2556C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.386{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7700-000000009402}2080C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.385{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7600-000000009402}3832C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.384{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7500-000000009402}500C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.382{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7400-000000009402}420C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.381{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3E00-000000009402}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000083837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:50.378{89C4FCAF-46C6-6387-1806-000000009402}51965516C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3A00-000000009402}3484C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000033525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:51.938{1060B4B3-56D3-6387-9405-000000009502}22801672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:51.781{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-56D3-6387-9405-000000009502}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:51.781{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:51.781{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:51.781{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:51.781{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:51.781{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:51.781{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:51.781{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:51.781{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:51.781{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:51.781{1060B4B3-4260-6387-0500-000000009502}396512C:\Windows\system32\csrss.exe{1060B4B3-56D3-6387-9405-000000009502}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:51.781{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-56D3-6387-9405-000000009502}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:51.782{1060B4B3-56D3-6387-9405-000000009502}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:51.395{1060B4B3-42DB-6387-9B00-000000009502}2808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FD6A659CC15D60B5B5B0D06F65B2B5F9,SHA256=9538D2801AD7EE7DE41A9465F9CF6737D892DD295BA6DD6A6A74EFA08F2D7086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:51.286{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC2B102DF2D777FC8303C6D095CFD3F,SHA256=F950C12042B34DAFDD670014ADD8F5DB93FD9B6AE82B9913D9B29A596C1D216A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:51.411{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADB2D4F70E0608228C9F5B4BBBC519A,SHA256=73E0224911DCE6E6E0D5949A3A0846B2610AA3D532471EF8EC03961D74D52D6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:48.508{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50780-false10.0.1.12-8000- 23542300x800000000000000083872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:52.447{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1921F1BFE1E8D1FFB159EFB3F2EA9B29,SHA256=1AA35D833F7824EE97E1DC3EEA1BFDF0F372AA49694A74F08856E329F47B4607,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.956{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-56D4-6387-9605-000000009502}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.956{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.956{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.956{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.956{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.956{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.956{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.956{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.956{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.956{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.956{1060B4B3-4260-6387-0500-000000009502}396932C:\Windows\system32\csrss.exe{1060B4B3-56D4-6387-9605-000000009502}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.956{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-56D4-6387-9605-000000009502}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.957{1060B4B3-56D4-6387-9605-000000009502}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000033541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.597{1060B4B3-56D4-6387-9505-000000009502}39603400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.477{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3842CD4682E873F346D3621527C7292F,SHA256=6F58E301448F844C38F60D273F14B8B11C8B59E1252844DE58368B93C93A3964,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.446{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-56D4-6387-9505-000000009502}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.446{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.446{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.446{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.446{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.446{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.446{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.446{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.446{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.446{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.446{1060B4B3-4260-6387-0500-000000009502}396512C:\Windows\system32\csrss.exe{1060B4B3-56D4-6387-9505-000000009502}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.446{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-56D4-6387-9505-000000009502}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.447{1060B4B3-56D4-6387-9505-000000009502}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:52.160{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3181354282FEECAA11048521CD3E5FCD,SHA256=7EA20DD193D4CA2E3641B6D07764C0C3A1825A8394E666FD77F5CBEFB646DEA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:53.571{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EE5EC104845DCB99B77E2A68DC204A,SHA256=675BF6CFAF587901C3F9267F1CACE39ADB4FE51A4A3CADDD3FA30D67BFD4EEA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:53.614{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37CFE27F5EA3EE138E673BDD8D2E6F7B,SHA256=13F6D0B85600212607E5E9BDAAB82572EA3E009227DC55FD4A2B102858489163,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:53.128{1060B4B3-56D4-6387-9605-000000009502}14043720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:54.637{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E707B66B3F221420FB2BA20DF62C52,SHA256=9395124A1DFBDCE1C626286DA46D42EF22DF764ED1C37EBCACF87A1A942928C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:54.666{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2CA5D4EB5A0787BB5AE91A3C8A0567A,SHA256=923746A24BCF656BB8D7BE5AC47A68E563AE1ADAAEA398D643B7A52B9C17AAEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:54.213{1060B4B3-4261-6387-1D00-000000009502}20042320C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-56D6-6387-9705-000000009502}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000033572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:54.213{1060B4B3-4261-6387-1D00-000000009502}20042320C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-56D6-6387-9705-000000009502}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000033571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:54.213{1060B4B3-4261-6387-1D00-000000009502}20042320C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-56D6-6387-9705-000000009502}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 354300x800000000000000033570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:51.355{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50727-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000033569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:54.082{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-56D6-6387-9705-000000009502}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:54.082{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:54.082{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:54.082{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:54.082{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:54.082{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:54.082{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:54.082{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:54.082{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:54.082{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:54.082{1060B4B3-4260-6387-0500-000000009502}396512C:\Windows\system32\csrss.exe{1060B4B3-56D6-6387-9705-000000009502}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:54.082{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-56D6-6387-9705-000000009502}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:54.083{1060B4B3-56D6-6387-9705-000000009502}3008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:55.728{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E29F301E839A403A13E92FD100EA47,SHA256=F4B54C1DF71F2EC76C143A7ABAE2A5E9790FD9F1D98CC39C623C11BFF582000B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:55.738{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E49EA94305669A55E0EF2A8F8C8DE7B,SHA256=A8E81A89E2DEA3E0E8D1A791A98966B4A13A80240D6262035567C5CFC6E6D944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:56.945{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA3AA78ACA16C8850CB3C2D4BAD369D,SHA256=A0C86D511F1CBAA56FE26968DE3DFB0B82163D9A56ECED4039DB8152276088D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:57.032{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A68AC390BDF913A053F934A433D50B3,SHA256=C599131A76E20A8E52599FC9EF0A08959961903ED9561281055E02988B09FC02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:53.544{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50781-false10.0.1.12-8000- 23542300x800000000000000033577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:58.113{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0D49AFFA23DA746A153705499EFE09,SHA256=62FB7B3DCC665716679FEB409729C738EABAA7242A314A8F8E8FEBA6D9A13155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:58.041{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDBBE639270DB0FC470C2A321048755A,SHA256=40C7D7460AEC4C1A81F859CAB10A558DFB0A67ED6AA9A62C1946ACBE1E0C08E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:59.305{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE6CD27E03758D4E5AE7C64C9C8B01E,SHA256=6E35C6D69B64881F6F8626399AA5260272C7D134552C02E7C64ED148354412B7,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.875{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000083979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.875{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000083978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.875{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000083977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.875{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000083976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.875{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000083975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.875{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000083974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.875{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000083973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.875{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000083972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000083971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000083967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000083966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000083965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000083963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000083962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000083961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000083960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000083959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000083958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000083957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000083956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000083955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000083954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000083953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000083952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000083951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000083949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000083948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000083947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000083946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x800000000000000083945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000083944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000083941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x800000000000000083939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-3FFF-6387-0500-000000009402}408524C:\Windows\system32\csrss.exe{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.860{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.861{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.606{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BFD77F4195760B3CAFD1055CC43A9D9A,SHA256=09BC8B6A0ED3EBBF40A0DF810B1AC01A38B6E6E8866B370B728DF9C7F7FBB505,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.476{89C4FCAF-56DB-6387-3C08-000000009402}34964784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.476{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000083929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.476{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000083928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.227{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000083927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.227{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000083926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.227{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000083925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.227{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000083924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.227{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000083923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.227{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000083922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.227{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000083921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.227{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000083920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.227{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 23542300x800000000000000083919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.208{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862713D75D815EB00CC243F793001A2F,SHA256=3C1E5E6EED588B8DE526AAD14A7B3FCE210D4A8BE760DCD3C7EE4822A57602FF,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.208{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000083917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.205{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000083916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.205{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000083915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.205{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000083914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.205{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000083913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.205{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000083912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.205{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000083911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000083910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000083909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000083908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000083907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000083906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000083905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000083904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000083903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000083902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000083901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000083899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000083898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000083897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000083896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000083895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000083894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000083893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000083891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000083888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000083887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x800000000000000083886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-3FFF-6387-0500-000000009402}408612C:\Windows\system32\csrss.exe{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.189{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.190{89C4FCAF-56DB-6387-3C08-000000009402}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000033578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:12:56.444{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50728-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:00.377{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD194711DCBEE226025A4DCF04D65D5,SHA256=6BCD100A3C819D52F512B0C2E9F132559872ADF1C7DFA78EBBF826A785AE43FB,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000084041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.730{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000084040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.730{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000084039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.730{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000084038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.571{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000084037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.570{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000084036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.570{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000084035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.569{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000084034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.568{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000084033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.567{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000084032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.566{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000084031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.566{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000084030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.555{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F10511E1F9516C086BB20E3D5EB431D6,SHA256=47188621270680F6ED71487376016AAED6A5FC7F70B18A5AC72C604A2755FA8D,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x800000000000000084029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.555{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000084028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.554{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000084027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.553{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000084026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.553{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000084025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.553{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000084024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.553{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000084023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.553{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000084022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.552{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000084021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.552{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000084020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.552{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000084019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.552{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000084018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.552{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000084017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.552{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000084016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.551{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000084015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.551{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000084014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.550{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000084013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.550{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000084012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.549{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000084011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.549{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000084010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.549{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000084009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.549{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x800000000000000084008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.549{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.548{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x800000000000000084006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.548{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000084005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.548{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000084004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.548{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x800000000000000084003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.547{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000084002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.547{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000084001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.546{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000084000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.546{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000083999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.546{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x800000000000000083998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.544{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.544{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000083996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.543{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x800000000000000083995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.543{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.543{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x800000000000000083993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.543{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000083992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.543{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x800000000000000083991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.542{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.542{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000083989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.542{89C4FCAF-3FFF-6387-0500-000000009402}408612C:\Windows\system32\csrss.exe{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000083988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.541{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000083987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.540{89C4FCAF-56DC-6387-3E08-000000009402}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.325{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45AF55D0B94F55F59150C9BC378DDCCC,SHA256=3215FDAB21544D1E4878FF101CA04794FF179CFD37502040B3BD5E2FC26C3241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.276{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=476FE44AF79E540D38C95CF5574F2C1C,SHA256=54B53DFD96E0EEAC8452D922EB2537797E1D38D638B80DB3076B15D119DC1C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.210{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B62F75CF14C26D650629122AFC126E4,SHA256=8704EF8F81C8557CA18E1C901FFBF272F0A8B61DDE8C79C781788B0F4EDCEF6D,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000083983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.029{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000083982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.029{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000083981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.029{89C4FCAF-56DB-6387-3D08-000000009402}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000033581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:01.462{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B96DEA98C352281185C5D08B41B642A,SHA256=928FEB90450C64B37602EC61DE1111A4AEC4A44D6D95EB641160318A26EE1A1D,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000084048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:01.912{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3047780831-3224000367-1164970141-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000084047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:01.912{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3047780831-3224000367-1164970141-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000084046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:01.912{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3047780831-3224000367-1164970141-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x800000000000000084045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:01.778{89C4FCAF-408D-6387-B500-000000009402}4948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5390E396ADEA18002D2FA771BE630677,SHA256=ED300A998774247306D9A773B9901173795811267188E42C6A80781CB2E73B87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:01.431{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670CDB0660BFC90330A20F7BDEB41637,SHA256=03FAFFE4B78F7FD40A6845F2D976256B7DDA465913344D517B1DD2E634DF2D7B,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000084043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:01.161{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000084042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:01.161{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x800000000000000033582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:02.533{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00D44AA8C8D6C29D49D65F30580F6BD,SHA256=CF60C7C6049DC249E55B7E2DADA7CDE6077BCAD300FF54E05266FFCB057ECE48,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.540{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local50783-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local389ldap 354300x800000000000000084054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:59.539{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local50783-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local389ldap 354300x800000000000000084053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:12:58.569{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50782-false10.0.1.12-8000- 23542300x800000000000000084052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:02.539{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2894058BB7EAAE5D0C08EE084227CB2B,SHA256=6BC53B6FE89C5E0673A666ED35385748B814B577F04187F2FB9519E472F8F0A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:02.428{89C4FCAF-53ED-6387-D107-000000009402}6412ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\f8bskrpn.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000084050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:02.031{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3047780831-3224000367-1164970141-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000084049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:02.031{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3047780831-3224000367-1164970141-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x800000000000000033584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:03.616{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ACF85BA063EA188053E4E0ADC490009,SHA256=AE3DAFD51483192AEB03BBBD50326DA6119056271E48B0CA86E78A7AD1BDBA0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.460{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50785-false35.244.181.201201.181.244.35.bc.googleusercontent.com443https 354300x800000000000000084167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.448{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local63261- 354300x800000000000000084166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.447{89C4FCAF-4002-6387-1400-000000009402}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-61652-false127.0.0.1-53domain 354300x800000000000000084165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.440{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61652- 354300x800000000000000084164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.440{89C4FCAF-4002-6387-1400-000000009402}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:be7:ffff:98a0:732f:808b:ffff-61652-true7f00:1:0:0:0:0:0:0-53domain 354300x800000000000000084163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.414{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local61652- 354300x800000000000000084162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.311{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50784-false108.156.184.103server-108-156-184-103.cmh68.r.cloudfront.net443https 354300x800000000000000084161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.309{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local61000- 354300x800000000000000084160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:00.303{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local64245- 23542300x800000000000000084159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.894{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB8D2DAF6327A6DB1C1F293C191D322,SHA256=6DA02BD35C790CF3878F909A0CDB042C6AD34E39431A1A116104AC076D44459E,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000084158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.861{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000084157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.861{89C4FCAF-56DF-6387-4008-000000009402}10162760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.861{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000084155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.861{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000084154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.610{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000084153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.610{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000084152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.610{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000084151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.594{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000084150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.594{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000084149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.594{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000084148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.594{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000084147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.594{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000084146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.594{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000084145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.594{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000084144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.594{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000084143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.594{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000084142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.594{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000084141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.594{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000084140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.594{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000084139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.594{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000084138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.594{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.594{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000084136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.594{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000084135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.593{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000084134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.593{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000084133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.593{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000084132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.593{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000084131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.593{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000084130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.593{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000084129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.593{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000084128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.593{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000084127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.592{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000084126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.592{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000084125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.592{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000084124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.591{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000084123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.591{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000084122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.591{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000084121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.591{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000084120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.591{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000084119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.590{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.589{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000084117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.589{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000084116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.588{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.587{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000084114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.584{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.584{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.584{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.583{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.582{89C4FCAF-3FFF-6387-0500-000000009402}408612C:\Windows\system32\csrss.exe{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.582{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.580{89C4FCAF-56DF-6387-4008-000000009402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000033583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:01.494{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50729-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x800000000000000084107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.491{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000084106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.488{89C4FCAF-56DF-6387-3F08-000000009402}65685320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.479{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000084104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.478{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000084103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.032{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000084102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.032{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000084101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.032{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000084100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.032{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000084099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.032{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000084098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.030{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000084097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.030{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000084096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.030{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000084095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.013{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000084094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.013{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000084093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.013{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000084092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.013{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000084091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.013{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000084090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.013{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000084089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.013{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000084088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.013{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000084087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.013{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000084086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.012{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.012{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000084084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.012{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000084083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.011{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000084082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.011{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000084081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.011{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000084080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.011{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000084079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.011{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000084078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.011{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000084077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.010{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000084076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.010{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000084075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.009{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000084074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.009{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000084073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.009{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000084072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.009{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000084071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.009{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000084070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.009{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000084069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.009{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x800000000000000084068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.009{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000084067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.008{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.006{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000084065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.006{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000084064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.005{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.005{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x800000000000000084062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.004{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.004{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.004{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.004{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.004{89C4FCAF-3FFF-6387-0500-000000009402}408524C:\Windows\system32\csrss.exe{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.003{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:03.001{89C4FCAF-56DF-6387-3F08-000000009402}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.884{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178CC99E6D8A2B42D3E0E1E0A06C242F,SHA256=F8A463047DCCF79350CE5D800F35CE1A5FF515BB0988E51FD112A27CFFFB1D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.811{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D70F734B418D40517448548CABE061,SHA256=E10998C73A73B60784478A3A16A1A945313C29069E1ACD08EF4604EB5383BFD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.316{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-480B-6387-D603-000000009502}3964C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.314{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E9-6387-E800-000000009502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.313{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.310{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A200-000000009502}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.309{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A000-000000009502}2456C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.306{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.306{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5C00-000000009502}4048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.305{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5B00-000000009502}4036C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.304{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3C00-000000009502}2992C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.302{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3800-000000009502}2700C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.301{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4262-6387-2D00-000000009502}2764C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.300{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-2000-000000009502}2236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.297{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1F00-000000009502}1432C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.296{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1E00-000000009502}2012C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.294{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1C00-000000009502}1984C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.286{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.281{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1800-000000009502}1792C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.278{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1700-000000009502}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.267{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1600-000000009502}1244C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.262{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1500-000000009502}1128C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.255{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1400-000000009502}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.249{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1300-000000009502}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.243{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1200-000000009502}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.224{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1100-000000009502}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.218{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1000-000000009502}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.213{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0F00-000000009502}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.205{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0E00-000000009502}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.199{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0D00-000000009502}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.193{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0C00-000000009502}708C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.185{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:04.183{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0900-000000009502}552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 734700x800000000000000084220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.295{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x800000000000000084219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.295{89C4FCAF-56E0-6387-4108-000000009402}55766596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.295{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000084217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.295{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000084216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.230{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F65E1E187CA368E30FCAAE66216AAC,SHA256=78AC6055FF766A61146B0AF3DAD1622771AF7D9502C3FD3E7401180046B5E3B4,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000084215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.130{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000084214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.130{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000084213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.130{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000084212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.130{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000084211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.130{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000084210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.130{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000084209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.130{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000084208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.130{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000084207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000084206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000084205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000084204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000084203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000084202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000084200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000084199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000084198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x800000000000000084197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000084196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000084195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000084194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000084193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000084192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000084191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000084190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000084189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000084188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000084187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000084186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000084185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000084184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000084183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000084182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000084181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 10341000x800000000000000084180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000084178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000084177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x800000000000000084175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.114{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.110{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.110{89C4FCAF-3FFF-6387-0500-000000009402}408612C:\Windows\system32\csrss.exe{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.110{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.111{89C4FCAF-56E0-6387-4108-000000009402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.993{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919ED3C231D77A595CCB8BE7E6F99495,SHA256=AE8FB61147F6FC91B999A4086C3E2BDBED46F6234EB0662E29524F265D3CDEC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:02.207{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-657.attackrange.local59492- 734700x800000000000000084272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.431{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x800000000000000084271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.431{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x800000000000000084270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.431{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x800000000000000084269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.196{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x800000000000000084268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.196{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x800000000000000084267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.196{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x800000000000000084266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.196{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x800000000000000084265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.196{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x800000000000000084264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.196{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x800000000000000084263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.196{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=552EDF19FBCB174DCB21F0AF822DF3BD,SHA256=B6A59542BD1051D693C608069BEF8D137F13F194B5CB41883C49EBBDB75F3F10,IMPHASH=4BBF8E27EA72C8AB73778D765FCB588CtrueMicrosoft WindowsValid 734700x800000000000000084262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x800000000000000084261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x800000000000000084260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5356 (rs1_release.220906-1211)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=6198C866580580C632625342AF93C8EA,SHA256=AE5B64B3CC709FB113B0AEF8328DBA7213E65F69834362F052C62DB313C2A96F,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x800000000000000084259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x800000000000000084258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x800000000000000084257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x800000000000000084256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5501 (rs1_release.221103-1703)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=C7322EC55BB24A89D05C0F35265AD4A6,SHA256=D2645D88D5969C72D3F437094254F167EC574706C4934385F3241E78F172DFE4,IMPHASH=20DFB872C6D7FA74BA2231515DEC716BtrueMicrosoft WindowsValid 734700x800000000000000084255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x800000000000000084254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x800000000000000084253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x800000000000000084252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x800000000000000084251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x800000000000000084250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x800000000000000084249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x800000000000000084248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5501 (rs1_release.221103-1703)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A8992D0964396EE341008F5DB71E775B,SHA256=833349C542A0FFB0E2C44129FAD110214DC536F2C69907C8DAE2B6E7AEB26989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x800000000000000084247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x800000000000000084246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x800000000000000084245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x800000000000000084244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x800000000000000084243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x800000000000000084242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x800000000000000084241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x800000000000000084240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x800000000000000084239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x800000000000000084238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A36D18BE95392498D736CB9CB6F1324B,SHA256=CFF43FFE98D18B665C024777928D160B2335D7A90D7DF5E77EDCA51F722DAFF1,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValid 734700x800000000000000084237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5427 (rs1_release.220929-2054)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=98CD9B928E55BF4DCDB68157EAE33385,SHA256=6266ECAEA31A730D5B4FC0D097F9B1368206E903AB9EFAD2BC3E06B8AB97F239,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x800000000000000084236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x800000000000000084235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=0482CFC6D06935953519340A0D360329,SHA256=7AB410C10BE2A2C3D46BCCD878D398DFFBF2116D1AB8A5106CBBE1F9D06931E3,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x800000000000000084233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-408D-6387-B900-000000009402}31881132C:\Windows\system32\conhost.exe{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000084232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=5C300CB779A25D257929F4F9519D19D6,SHA256=D8C24A9750207C01A4DC468DBFDE7C817E28E55DC5D0EA40F9E506975C4CFA85,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValid 734700x800000000000000084231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x800000000000000084230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x800000000000000084229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x800000000000000084228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-3FFF-6387-0500-000000009402}408524C:\Windows\system32\csrss.exe{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000084223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.178{89C4FCAF-408D-6387-B500-000000009402}49483576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000084222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:05.179{89C4FCAF-56E1-6387-4208-000000009402}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{89C4FCAF-4000-6387-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:06.007{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C399056AD2DA34AD7CD46E250A9FE161,SHA256=58BC78A1F774A53C01BB810CA16B7F6B9CAF1B5857000C7CCAD2E8451FCD7387,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:06.994{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1100-000000009402}476C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:06.975{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1000-000000009402}400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:06.962{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0F00-000000009402}356C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:06.953{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0E00-000000009402}1000C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:06.941{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0D00-000000009402}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:06.929{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4001-6387-0C00-000000009402}840C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:06.865{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:06.862{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0900-000000009402}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 23542300x800000000000000084275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:06.279{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3381C379C4693CE9A0B0FDCDAF2BF744,SHA256=CCB22D36215500EFC7C1F14BDEF99A8A3E255BF10634CC6004D4CF8B47D611B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:07.081{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F90451BE7DB207DF90D032829A82D38,SHA256=614EE1733F04D0BCF5C7DB64F057B0F4F07914291ECC4EF9380FE9635AD62DBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:07.743{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2900-000000009402}2684C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:07.734{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:07.724{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:07.717{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2300-000000009402}2520C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:07.151{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:07.147{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2100-000000009402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:07.140{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2000-000000009402}2464C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 23542300x800000000000000084294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:07.125{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723ED8CD3EA0C0E5526EE93214DA4662,SHA256=41B99BADDC528BD948928DEA42A52C1EBE92611F3A4AD122BB83326B93685E74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:07.115{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:07.099{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1E00-000000009402}2376C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:07.095{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-400B-6387-1C00-000000009402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:07.093{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4003-6387-1900-000000009402}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:07.089{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1700-000000009402}1428C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:07.053{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:07.044{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1500-000000009402}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:07.022{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1400-000000009402}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:07.014{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1300-000000009402}352C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:07.004{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1200-000000009402}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 23542300x800000000000000033619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:08.162{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48FB22E4482C2EE06DF04DF9290ECB5,SHA256=FF50CDF14AAF4E79D766C89295F859550E4FE66BD969FF5E6C4C6C572F0BA274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:08.165{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F636E0C81189927C474D5AD14E6346,SHA256=D40B9F74145221EB71C7CA924718604D3FFD0A80177B8D99861D97F9E53A972E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:06.545{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50730-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:09.242{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D9E3A1163C7B836E5450AA472EABB1A,SHA256=E4060460EFA9F63DB9D01DA48C6B98B315C0B235597956866939818C3DAB64A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:09.800{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4011-6387-3100-000000009402}3220C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:09.798{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2A00-000000009402}2904C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 23542300x800000000000000084304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:09.216{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B1CA97335FF5ADE59B62304D71C2B8,SHA256=A35CFDFCB7270129CC444DC1C4D3B56CB53942AE1DD62BA22C808FDC9F0584F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:04.472{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50786-false10.0.1.12-8000- 23542300x800000000000000033622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:10.323{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D350DE7634E2B3527B02555B1026AA2,SHA256=B5A589667060D4866B8A15B0EDAC4C6F863FD25C47F27F38C2C6A3EC87A085D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.597{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5497-6387-FC07-000000009402}5472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.592{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FB07-000000009402}6060C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.587{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FA07-000000009402}6804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.578{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-F907-000000009402}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.571{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5494-6387-F807-000000009402}6900C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.563{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F1-6387-DA07-000000009402}952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.558{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D707-000000009402}1396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.552{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D607-000000009402}6984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.547{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D507-000000009402}5132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.536{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D307-000000009402}2424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.532{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D207-000000009402}4456C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.497{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.492{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4AC9-6387-B406-000000009402}4460C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.491{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-AA06-000000009402}6936C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.490{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-A906-000000009402}5612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.488{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A56-6387-A006-000000009402}5072C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.469{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C7-6387-1906-000000009402}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.446{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 23542300x800000000000000084323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.402{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2E655C56641FD743449A5A5B01F130,SHA256=5A4BE7E3B0C1AB85C1C12CA19468361ADC618828254551D2DCDAC0E7C0B318E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.393{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.377{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FD05-000000009402}3232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.356{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FA05-000000009402}3028C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.344{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B6-6387-F605-000000009402}576C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.342{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B5-6387-F405-000000009402}4520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.339{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-409C-6387-FF00-000000009402}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.336{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.334{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B900-000000009402}3188C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.331{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.327{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408A-6387-AA00-000000009402}2556C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.326{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7700-000000009402}2080C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.325{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7600-000000009402}3832C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.324{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7500-000000009402}500C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.323{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7400-000000009402}420C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.322{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3E00-000000009402}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 10341000x800000000000000084307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.318{89C4FCAF-46C6-6387-1806-000000009402}51965876C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3A00-000000009402}3484C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014D86190) 23542300x800000000000000033623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:11.505{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72012064ACB84F89C25B0502C7DAA1CF,SHA256=B6D568EC5BACEE9E77CA5E52FAF2C75DE0DB241F69DEB7FCC54BC49E0AEC9080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:11.720{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD94F97555B72E8153FA6D924C33174,SHA256=5DFF2D544884C43EF4370C924D1F8F1E3AA0643F8DE99FBEF29ECB59B9B19F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:11.340{89C4FCAF-4010-6387-2100-000000009402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0ad278f1b123f456b\channels\health\respondent-20221130113546-094MD5=4367FEF3D0B44A451D14676E8838B8C6,SHA256=A57E514C51A9299EE718F8B114501F94A24E2C8835ECD359B7D2BBD0A7C75EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:12.573{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F6DB7FBB128CB60554540F345E99D2,SHA256=7FFE1C6C1F34921FEBD6A0C193283DF2B37658C3B4DC434696A2CDC6F828EA7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:12.437{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CF5C6B6F937E21F715418741CB5A57,SHA256=D6517B08D198D4127B30EEAB064D6893314F119C612E14072459A1312020CB21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:12.339{89C4FCAF-4010-6387-2100-000000009402}2472NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0ad278f1b123f456b\channels\health\surveyor-20221130113544-095MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:12.068{89C4FCAF-408D-6387-B500-000000009402}4948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=75B55EA0C6DD224E71E588081A876538,SHA256=D68BFA6F8DD7813E5BF73DAB1FA1C75178EE825D1972714ACA959E6B3481B0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:13.680{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49908A3030098CB85DBF6C0D26D42A60,SHA256=51616FD6B09030FB2FA47D6D75C1528122CFC43511FCB8385085FA829A5599BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:13.605{1060B4B3-42DB-6387-9B00-000000009502}2808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=75B55EA0C6DD224E71E588081A876538,SHA256=D68BFA6F8DD7813E5BF73DAB1FA1C75178EE825D1972714ACA959E6B3481B0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:13.519{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273C706923BF043FEF001B32A89E1C8F,SHA256=82FD306DF23094D702B193E97C12B98F2D2A4BBD48E27B91F2C6BF427783B9DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:12.328{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50731-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:14.635{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D3BDE06642BAF6F9CBDADC397D8B95,SHA256=1E4B0C341D44CA4052E70D535EF78810B1C12B9E646D9B2F661884000B8CB33E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:14.720{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554EC9CFBD2E8DF6403D69BA34F17196,SHA256=A4D486819A4460DE729C7A577403A5257546CC5696C018AAECFA374E549B026D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.429{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50787-false10.0.1.12-8089- 23542300x800000000000000033630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:15.817{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BAB783C32333DF61757F430D8D6481,SHA256=AD46A8B4C016AC2CD5B1E6F44699B3CD0E131B010726505162EE7A0B4D289749,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:12.903{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50732-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000084351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:15.876{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838AC0D9FFF2FC7DA653B847D36ED7A3,SHA256=2F68609606C2A4AB21734595F71FB8E976D2DE7FB78DE8AC98CB1259A1D0B35D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:10.461{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50788-false10.0.1.12-8000- 23542300x800000000000000033631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:16.782{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F2B068111F112FC55A490365B33628,SHA256=235D3DAA156D7FF6BEB2748EAA9FAEFBEBEF5AC86EEDBA6694FD3E67F74EDE8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:16.925{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF6264E1E4680D8DFDDE40EDA654239,SHA256=2E1D8009B0ABE801D77465A46AFCEA8A67CA9D017EA6E6BD467AFA887834303C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:17.859{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F425B61DAB619743F5E1FDFB626825,SHA256=9EBDE672A3F3E7BA3EC3FDF378E4E60820E0B1550D792DDBB98AD821909A7B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:18.009{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6517D547D506AECA41E2B147FC4A15A,SHA256=3735ACDB0B10326755D57BDD365774F61F6C22D867804D1C9ECF3FFD927A7A24,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:17.397{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50733-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:19.162{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11449BF72973E6FD5D6C8DEC9EFCD57B,SHA256=8F599824E272F2844F1CACC443EB4C511B7231144864A767E44467D1138E0DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:19.177{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC7DBC50C4F214935A9D45D2FAF8EDA,SHA256=4AEE8F6D4FE37E84C26307CA8E44F5DFECF4EBC17797B8A043DDCDDD1F6CBDC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:20.355{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BF5DF5CBF254FF5DA7B88E5836A923,SHA256=C1D3D74D9876BD2525517A6751AFCB05A346B52B774A7E3B61A263AA1835D3D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:20.248{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9661A13B364A8F778D39047E5E726F89,SHA256=6C667624AAACC8A6D3F8FF3FE975758C3ACD16C06FCB015B98E7DD1A27E3D209,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:16.468{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50789-false10.0.1.12-8000- 23542300x800000000000000033637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:21.552{1060B4B3-42DB-6387-9B00-000000009502}2808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C2529489967760BDEC9CF6C462AFA4AF,SHA256=2B3F0A58CF6E3D1EF97210B957545785FAD64DD819EF2911BD06E91BA8793AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:21.428{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89D287349596700B9C2879EC699EDD8,SHA256=30F0AC0FF467C40354AA7419412268EF5A9F80F3EAA4CAA06CFB2185D8EBDFF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:21.281{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BEC444C40145852E8E116229E6D1B19,SHA256=667CDD162DD70EB2AB5FD7BE20B9AF3320370960E97412E9E3532FB436CAFA64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:22.509{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9296788B39AEC48CAEC65E20FDBDF1F2,SHA256=94E3B13291A2B959D0E9FBA515854469B4488DBEA7D45B19F9336979A52DD3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:22.353{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7578EDD92BF65BBB8D3AD04991FDD4FF,SHA256=E13D127193892B6E9F9C81B2C37803E7E8FC68EF8BA6C0879848C6D679F15AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:23.598{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DB76AEEC8813DE5921F8CE6935BB9F,SHA256=27A37A7247BD5792713F74F213B3A9A5ACBB83C61EA853304EBFF7518B902162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:23.539{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8200D936DE5F3097C76D1765870E212F,SHA256=AD550C73C491342332AC62266F29D0393773B60AFF6D164A57B612D1D3F98163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.989{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5435406A237DDD0ED3357A03B10F612E,SHA256=E58A91E28299788E9577B2BF3A79119008BC531BCAD5A87AC118DABF5E22CFFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:24.587{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A73663C7AFCABA10D5822758FCF503,SHA256=C167F1B0805D424196C6691DD435A0DA093E1973E75712D314CEAA89D958975E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.427{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-480B-6387-D603-000000009502}3964C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.423{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E9-6387-E800-000000009502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.421{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.416{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A200-000000009502}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.414{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A000-000000009502}2456C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.409{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.408{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5C00-000000009502}4048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.407{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5B00-000000009502}4036C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.406{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3C00-000000009502}2992C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.400{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3800-000000009502}2700C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.400{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4262-6387-2D00-000000009502}2764C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.399{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-2000-000000009502}2236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.395{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1F00-000000009502}1432C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.394{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1E00-000000009502}2012C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.392{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1C00-000000009502}1984C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.376{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.362{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1800-000000009502}1792C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.356{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1700-000000009502}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.325{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1600-000000009502}1244C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.313{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1500-000000009502}1128C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.300{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1400-000000009502}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.292{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1300-000000009502}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.284{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1200-000000009502}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.254{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1100-000000009502}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.245{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1000-000000009502}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.238{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0F00-000000009502}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.222{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0E00-000000009502}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.213{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0D00-000000009502}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.205{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0C00-000000009502}708C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.192{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 10341000x800000000000000033640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:24.189{1060B4B3-4261-6387-1D00-000000009502}20043412C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0900-000000009502}552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001872B5D0) 354300x800000000000000084360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:21.511{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50790-false10.0.1.12-8000- 23542300x800000000000000084362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:25.673{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EFA9F26F7CA50CB1CE2A98098BBFE8B,SHA256=7E4D113329824BD1764F98435C4BECE2876712FE28A3F5BDE3063FC9C6D8693D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:22.501{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50734-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000084365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:26.921{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000084364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:26.916{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0900-000000009402}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 23542300x800000000000000084363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:26.743{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C433B5BA4431513DE86C886343ECD0CD,SHA256=064CC442DB50FA1F3573EA0C299DE7BF71D55DDE3240BE34B41BA4ED0D92EB23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:26.066{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED90F1C2483A5497CB388FF243CCE626,SHA256=E275E1ABE2CC0D8BB7C2F0CDA8411E4ED3F5A3B86B0FA52D477429E0767371BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.998{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2900-000000009402}2684C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.987{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.979{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.974{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2300-000000009402}2520C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 23542300x800000000000000084385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.782{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144666F451EB9002996B15CBE2E35F3B,SHA256=D7A19E9E75B03F6450BB6ACCCCF08EC922FABB8977B940D927D3D6FB72F5ED9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:27.264{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC19341708B61F9FA357979DB5D8B4CB,SHA256=0931BD246E45D2C1954266422551607F1A5A6B34758B9E8B5FDA9382E4FC8C5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.345{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.340{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2100-000000009402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.338{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2000-000000009402}2464C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.320{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.303{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1E00-000000009402}2376C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.298{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-400B-6387-1C00-000000009402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.295{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4003-6387-1900-000000009402}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.291{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1700-000000009402}1428C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.231{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.224{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1500-000000009402}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.201{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1400-000000009402}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000084373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.194{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1300-000000009402}352C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000084372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.186{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1200-000000009402}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000084371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.171{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1100-000000009402}476C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000084370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.148{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1000-000000009402}400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000084369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.125{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0F00-000000009402}356C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000084368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.115{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0E00-000000009402}1000C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000084367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.090{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0D00-000000009402}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 10341000x800000000000000084366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:27.071{89C4FCAF-46C6-6387-1806-000000009402}51966352C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4001-6387-0C00-000000009402}840C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000153C4850) 23542300x800000000000000084390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:28.848{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5B650BC1BD0080A88E66657CDE8529,SHA256=8673A9F45D70976665A33F2F582E0F8D98FF6F3CBC6E4D69EED202870D565A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:28.341{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DF33DF945D3B1C33E3BE106C57C70D,SHA256=39BC179A44A7AA0CA13F3F8A514E8F1123225FB503A48B62519B4DE1CD52B80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:29.917{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22724A55E8B6D8935F606E8A20F8DE2,SHA256=4517BB9DDB8941EAE697602BA0893545B25BB5E32B08C1B83628DC7B774ED749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:29.454{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E9D6F1157091896E404AFA8BFF1715,SHA256=E9C9B4C22CF3AC6F705D8453B276236E1A1CB2E36AB3B98B1A46FD07D3CF46CA,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000084421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.481{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000084420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.481{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000084419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.481{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000084418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.481{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000084417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.481{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000084416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.481{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000084415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.481{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 10341000x800000000000000084414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:29.481{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:29.481{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000084412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:29.481{89C4FCAF-3FFF-6387-0B00-000000009402}624672C:\Windows\system32\lsass.exe{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x800000000000000084411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.481{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000084410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.481{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000084409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.481{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000084408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.481{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000084407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.481{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000084406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.481{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000084405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.481{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000084404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.479{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000084403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.479{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000084402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.479{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000084401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.479{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 12241200x800000000000000084400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.479{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exeHKCR 734700x800000000000000084399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:29.472{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x800000000000000084398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:29.472{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x800000000000000084397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:29.471{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x800000000000000084396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:29.465{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 12241200x800000000000000084395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.465{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 12241200x800000000000000084394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-CreateKey2022-11-30 13:13:29.465{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM 734700x800000000000000084393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:29.465{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x800000000000000084392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:29.465{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x800000000000000084391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:29.464{89C4FCAF-4001-6387-0C00-000000009402}8405696C:\Windows\system32\svchost.exe{89C4FCAF-46C6-6387-1806-000000009402}5196C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:30.572{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE798380F4EFB25FE7CC7967E0A7C2A,SHA256=E98077BF3E59B125D22F8D2005074151603A3915A35A438CAA328B930721D237,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.778{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5497-6387-FC07-000000009402}5472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.775{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FB07-000000009402}6060C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.771{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FA07-000000009402}6804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.766{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-F907-000000009402}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.761{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5494-6387-F807-000000009402}6900C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.754{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F1-6387-DA07-000000009402}952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.751{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D707-000000009402}1396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.746{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D607-000000009402}6984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.739{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D507-000000009402}5132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.727{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D307-000000009402}2424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.724{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D207-000000009402}4456C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.694{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.692{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4AC9-6387-B406-000000009402}4460C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.689{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-AA06-000000009402}6936C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.689{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-A906-000000009402}5612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.686{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A56-6387-A006-000000009402}5072C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.674{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C7-6387-1906-000000009402}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.649{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.608{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.599{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FD05-000000009402}3232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.585{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FA05-000000009402}3028C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.577{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B6-6387-F605-000000009402}576C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.571{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B5-6387-F405-000000009402}4520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.564{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-409C-6387-FF00-000000009402}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.559{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.555{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B900-000000009402}3188C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.547{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.544{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408A-6387-AA00-000000009402}2556C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.542{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7700-000000009402}2080C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.534{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7600-000000009402}3832C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.531{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7500-000000009402}500C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.530{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7400-000000009402}420C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.527{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3E00-000000009402}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.524{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3A00-000000009402}3484C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 354300x800000000000000084425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:26.542{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50791-false10.0.1.12-8000- 10341000x800000000000000084424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.005{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4011-6387-3100-000000009402}3220C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000084423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:30.002{89C4FCAF-46C6-6387-1806-000000009402}51965496C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2A00-000000009402}2904C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 354300x800000000000000033677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:27.555{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50735-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:31.755{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9288582B5B46087AA51FB7B429272061,SHA256=B24802B6652EBF87BB2B2EDACD47D80B3240B1EC71C51A9D703391368D06258F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:31.862{89C4FCAF-408D-6387-B500-000000009402}4948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C5F31E5B793EAD63A6843E55C4A9F9FB,SHA256=D3596B0D935AAC7BFF0DAB7E3B59AAAF0F816982549CDD36F240DAD5AD34E89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:31.458{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60687AE3CEE6062BF4FFC0D71E1EB7C1,SHA256=DB1A00E8317BCB2A7B06AC17D8758D32D219BFACE2180BDC80FC2488679665BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:32.840{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D0591F7E10C243D573E06D919A73FC3,SHA256=17603CDA404A1B3B37B8DBDF977D90F0F1394A43CB2EC846C8868B2A88BF078E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:32.741{89C4FCAF-4002-6387-1100-000000009402}476NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A25F8C976331E008604AB018E8B0D449,SHA256=30E70DBADDAAAF80E46AC88A8C7D33AFF2355A78E462C4DB7AC1F46665495939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:32.524{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72DCAFB482960CF900C804662E99642B,SHA256=E488C3197207C64C7C1B5C0934B5361B68764ADFDD43A93AAA9B52D729D28837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:33.911{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23ADCFB8293A4D82470D12710C5C0431,SHA256=EA7DF985C8437FE14AF5BC9FF767A68ACF0E82E0D31A1135FE378E3BAAB6394F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:33.579{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BACE75B576BDEFE58FEFB0DE90B38E0,SHA256=2169775DCAE843E718A9922799DEDB2E5E22D81EDA746FD6F007F946889D74DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:34.662{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A0B1CB7AD71C5A10DD31DEEB7CE2CE,SHA256=8BF75F6DBF1BA9221A74F8AC91B9D220DE8A1AD428400C10FAEA91D3781E3282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:35.214{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDBB2A9A2C6D6D0CCDBD6CABD0E7E80,SHA256=5755B6ABCB5D38F94DA72B2232BA3C1E708F2D499855FDD6574A59E2E27504A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:35.763{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918327BE8C803088EF01CCBEA78884A0,SHA256=A65F78D6E5486E81060E18F60DC7ACEA8E6FA968B651E73589FAD87A185ADF31,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:32.570{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50792-false10.0.1.12-8000- 23542300x800000000000000033684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:36.317{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13285AD668212F165E662F6A87C06F77,SHA256=1CAD3E8231D9A5C1161DE288B1F606927751D58F0F93729F0A3EBB8E86CE342A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:33.484{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50736-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000084468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:36.848{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825551BCFCF65438366E24D83AF73383,SHA256=88072C8375D8BD2EDA23F3FF2FBD8C741EE9CEE06A74A16CEF59C2EC7D58AE58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:37.285{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C4B39C97AE1BCB2F6BB28600EB5F87,SHA256=9BB367F1D172D384FF448E4B50C26C6C1441ED73516F6512BAE65B21B953107B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:37.887{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41580FA94F506BD682589615D5CAB1C,SHA256=966ADADDF8E5400A8EF7FFF70F165FB9BED2F1CEC1D94537E88754D06463CEDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:38.586{1060B4B3-4261-6387-1200-000000009502}988NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DFAE696D250496F784383EAE5F431B4D,SHA256=4E4F8393907A8CC304CE59C76460923A9BA6774355AD5704C6709BAF862A9010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:38.476{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377E98072CEF7C6429F89DE9028652E1,SHA256=342DF0A1B8C79985ADC3CE9A6FFA58921CEE12F2C3FAA053FAA4AE84570F1637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:39.680{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A620ABE55A8A77A60D599BA105F08F30,SHA256=215173D3104E79017DEFC825EC9ABAA5D12DB93D7E5A6F52A582EAD83A8D2D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:39.555{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1F61656E587EC3BB228AFA9A73F3B4C,SHA256=2E9E6C13C44243B4622398A0FB3B42C3C0D19DEA5766CDE8A49C4BA11D032705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:39.035{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A69AA0B399D7E07CE6C6406E0090BAB,SHA256=00B867E36DFFC640F763A5DB1AA0CABC9F77C59BC7CF1C9C2B5AE105D5072353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:40.644{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43D6C21222570A1C78BE20B8A740AEF,SHA256=64D59B8DF8899DBDB8E22C2A61642388BA3B743B1CC5351667B1A337D6A92826,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:37.579{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50793-false10.0.1.12-8000- 23542300x800000000000000084471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:40.131{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB42617A35159B7B21D6440F80840330,SHA256=152994B23FF542AA756EEB3EA718E0FC15B3A321E142C6234D9ED7100150AD52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:41.726{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6021E7B563488E1282D63657F690FA,SHA256=E3E3230EBF87BACB5B0553C0E1149086663445467CB12F08ED0D4568256A1C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:41.292{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A92A4FAFF0D54C8B0BD00D1FE52641,SHA256=6E28A957967F5B0C0842851E08D72E82CB8A75C1EF9E87C0E55AB9BEA8C631A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:38.530{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50737-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:42.809{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C5547FC16C002511FD0E2BCF9BD610,SHA256=3574A8A6EB23358CC604F631956818939224D2EE130101E63E806D3FF6CBBA71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:42.394{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63457CFD6624F0BE5B5C5522FE8FE20F,SHA256=81518E58C6357767C408062F4309E7EEE279A9B83DA24C2A59FDF36C93430FA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:43.902{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D6643BEFB3DEB7E27975BAE6E9A2E56,SHA256=CE235A725AA2EF44FFF50D3FC42DF3B975F0AC89618AA4FD1A5388FB7D48DD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:43.576{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9918490138A0C251CD2C3138BB959722,SHA256=F801CF23AAB329AAA84FFF18D881C3B4AEA711137EB24E81901E666E041D8B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:44.664{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85E460E185FA06083581182721BAB61,SHA256=E1E3A6DE280E92A4BBC98937583B6AAB8BDD05CC7A85B6197B3F13B004AE162E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.347{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-480B-6387-D603-000000009502}3964C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.337{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E9-6387-E800-000000009502}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.335{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.333{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A200-000000009502}508C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.332{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DC-6387-A000-000000009502}2456C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.328{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.327{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5C00-000000009502}4048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.326{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4268-6387-5B00-000000009502}4036C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.325{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3C00-000000009502}2992C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.317{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4264-6387-3800-000000009502}2700C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.316{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4262-6387-2D00-000000009502}2764C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.314{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-2000-000000009502}2236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.312{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1F00-000000009502}1432C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.311{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1E00-000000009502}2012C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.309{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1C00-000000009502}1984C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.301{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.296{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1800-000000009502}1792C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.294{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1700-000000009502}1292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.281{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1600-000000009502}1244C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.276{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1500-000000009502}1128C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.270{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1400-000000009502}1108C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.265{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1300-000000009502}1004C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.252{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1200-000000009502}988C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.233{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1100-000000009502}924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.219{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-1000-000000009502}916C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.214{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0F00-000000009502}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.206{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4261-6387-0E00-000000009502}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.200{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0D00-000000009502}764C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.192{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0C00-000000009502}708C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.186{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 10341000x800000000000000033695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.180{1060B4B3-4261-6387-1D00-000000009502}200492C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-4260-6387-0900-000000009502}552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000171EE3D0) 23542300x800000000000000084477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:45.700{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7588F4356259523E104E492EEDA26ABD,SHA256=6BE45413C55D8DFEB4A3EBE65DE081B89B1372B94A0B1F614F97B8E102D9DFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:45.166{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBFB6F59D2D9CEB278BF220B0DA1D8EB,SHA256=DA32108FE1B77B377D364795409EB27FAAD846D6C338E88276F61D6536324227,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:46.996{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1100-000000009402}476C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:46.973{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1000-000000009402}400C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:46.952{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0F00-000000009402}356C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:46.945{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0E00-000000009402}1000C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:46.929{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-0D00-000000009402}904C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:46.919{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4001-6387-0C00-000000009402}840C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 354300x800000000000000084481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:43.436{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-657.attackrange.local50794-false10.0.1.12-8000- 10341000x800000000000000084480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:46.869{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0B00-000000009402}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:46.866{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-3FFF-6387-0900-000000009402}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000084478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:46.782{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F103B7B94024B11859D72AFA0B98A0EE,SHA256=50AFD0C0891650DB0C67345ACF597B7A897ECE57F7BE3101149E308B9E89DA0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000033728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:44.536{1060B4B3-42E3-6387-CF00-000000009502}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-635.us-east-2.compute.internal50738-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000033727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:46.248{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F906947A4DD431E5A7A0D3A1F09A498B,SHA256=68CB0EE30B3628547D6D1710C2777A4E7AA836B99DA728F993FE795BA6EDDFA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:47.803{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96FC39DD1A9163DD2E2F316D5EB672F3,SHA256=9975DE7109D91B4B12BF222690E28C82607A37735FC59DA266FF7348E21D60B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:47.798{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2900-000000009402}2684C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:47.792{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2700-000000009402}2564C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:47.788{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2400-000000009402}2528C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:47.784{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2300-000000009402}2520C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000033733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:47.309{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306D2A30B5BCF5DB92E4A1F64335C86A,SHA256=69A2654AF91263E0B0E6D250296AC246E06052B52C5C8974AFA9DC540B75CE35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:47.147{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2200-000000009402}2512C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:47.143{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2100-000000009402}2472C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:47.140{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2000-000000009402}2464C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:47.125{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1F00-000000009402}2456C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:47.115{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-1E00-000000009402}2376C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:47.111{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-400B-6387-1C00-000000009402}2236C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:47.108{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4003-6387-1900-000000009402}1236C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:47.104{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1700-000000009402}1428C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:47.060{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1600-000000009402}1312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:47.053{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1500-000000009402}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:47.034{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1400-000000009402}1100C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:47.027{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1300-000000009402}352C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:47.016{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4002-6387-1200-000000009402}384C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000033732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:47.128{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:47.128{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4260-6387-0B00-000000009502}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:47.127{1060B4B3-4260-6387-0B00-000000009502}6123568C:\Windows\system32\lsass.exe{1060B4B3-4261-6387-1100-000000009502}924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c0dd|C:\Windows\system32\lsasrv.dll+29090|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:47.109{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1D00-000000009502}2004C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f906|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000084506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:48.884{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2715EDA4354B735C010632C532C1BAA6,SHA256=314E1359C76C8779FC97C21D9A6238F1A2FDAD26FB732FF68089DC62737AB3BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000033734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:48.383{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD15BF509B9F567A7651DFBDCC153ADF,SHA256=BE25CD3B2FEE2263660FD14609650FD5D03626BEF971E51DFED6AD9C6D5C965F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:49.696{1060B4B3-570D-6387-9805-000000009502}40323372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:49.589{1060B4B3-4261-6387-1D00-000000009502}20042320C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-570D-6387-9805-000000009502}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000033750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:49.588{1060B4B3-4261-6387-1D00-000000009502}20042320C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-570D-6387-9805-000000009502}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 10341000x800000000000000033749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:49.588{1060B4B3-4261-6387-1D00-000000009502}20042320C:\Program Files\Aurora-Agent\aurora-agent.exe{1060B4B3-570D-6387-9805-000000009502}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880190) 23542300x800000000000000033748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:49.566{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666892888269100561E26CF94FB39618,SHA256=F7536C14743F2648BB5BF70D6779B3959EE5D1837E95FEBE8BDE869850C2C531,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:49.499{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-570D-6387-9805-000000009502}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:49.499{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:49.499{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:49.499{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:49.499{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:49.499{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:49.499{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:49.499{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:49.499{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:49.499{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:49.499{1060B4B3-4260-6387-0500-000000009502}396412C:\Windows\system32\csrss.exe{1060B4B3-570D-6387-9805-000000009502}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000033736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:49.499{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-570D-6387-9805-000000009502}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:49.500{1060B4B3-570D-6387-9805-000000009502}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:49.806{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4011-6387-3100-000000009402}3220C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:49.805{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4010-6387-2A00-000000009402}2904C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000033782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:50.730{1060B4B3-42DB-6387-9B00-000000009502}2808NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CF8C74CB657A18604D8D2793925273DF,SHA256=291051C610D078C1F2B09ADE53E49D7A644A48CBA2CBD0BBB309C68F2D4CDC92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:50.683{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-570E-6387-9A05-000000009502}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:50.683{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:50.683{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:50.683{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:50.683{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:50.683{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:50.683{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:50.683{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000033773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:50.683{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6A991ECF138907A5AA8C2BB0FD868D,SHA256=F84860E8CB926411B067E07A73AB3B684209551701AC998788E1E11D15383D96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:50.683{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:50.683{1060B4B3-4260-6387-0C00-000000009502}7082604C:\Windows\system32\svchost.exe{1060B4B3-4261-6387-1B00-000000009502}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000033770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:50.683{1060B4B3-4260-6387-0500-000000009502}396412C:\Windows\system32\csrss.exe{1060B4B3-570E-6387-9A05-000000009502}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000033769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:50.683{1060B4B3-42E9-6387-E800-000000009502}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EED16F0DEE20519C5581E874D54C4CE5,SHA256=8C23B71057A4B0652039C16AF132F65FA8DB52BF1271608C6E118DC710E9CF9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:50.683{1060B4B3-42DB-6387-9B00-000000009502}28083440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{1060B4B3-570E-6387-9A05-000000009502}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000033767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:50.685{1060B4B3-570E-6387-9A05-000000009502}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{1060B4B3-4260-6387-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{1060B4B3-42DB-6387-9B00-000000009502}2808C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000033766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:50.632{1060B4B3-4261-6387-1C00-000000009502}1984NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-02f395d688d6dc534\channels\health\respondent-20221130114540-085MD5=421A2730ADAE3A660BE9B98FCB42BB32,SHA256=DD9501AE8159B049E06ACD4F3040B1765B6D21D365832970C0A6F127BF3F7749,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.570{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5497-6387-FC07-000000009402}5472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.566{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FB07-000000009402}6060C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.560{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-FA07-000000009402}6804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.550{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5496-6387-F907-000000009402}6856C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.546{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-5494-6387-F807-000000009402}6900C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.536{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F1-6387-DA07-000000009402}952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.532{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D707-000000009402}1396C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.527{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D607-000000009402}6984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.522{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53F0-6387-D507-000000009402}5132C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.508{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D307-000000009402}2424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.506{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53EF-6387-D207-000000009402}4456C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.478{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-53ED-6387-D107-000000009402}6412C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.475{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4AC9-6387-B406-000000009402}4460C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.473{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-AA06-000000009402}6936C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.473{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A94-6387-A906-000000009402}5612C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.472{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4A56-6387-A006-000000009402}5072C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.459{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C7-6387-1906-000000009402}5308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.441{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46C6-6387-1706-000000009402}5148C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.395{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B9-6387-0806-000000009402}4848C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.374{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FD05-000000009402}3232C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.362{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B8-6387-FA05-000000009402}3028C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.353{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B6-6387-F605-000000009402}576C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.352{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-46B5-6387-F405-000000009402}4520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.348{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-409C-6387-FF00-000000009402}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.344{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4095-6387-E600-000000009402}580C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.342{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B900-000000009402}3188C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.336{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408D-6387-B500-000000009402}4948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.332{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-408A-6387-AA00-000000009402}2556C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.331{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7700-000000009402}2080C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.329{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4026-6387-7600-000000009402}3832C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.328{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7500-000000009402}500C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.327{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4020-6387-7400-000000009402}420C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.326{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3E00-000000009402}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000084510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.322{89C4FCAF-46C6-6387-1806-000000009402}51965228C:\Program Files\Aurora-Agent\aurora-agent.exe{89C4FCAF-4012-6387-3A00-000000009402}3484C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000084509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:13:50.036{89C4FCAF-409C-6387-FF00-000000009402}4448NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8188E583C358F4E2B6B5B6C11439AA,SHA256=2E8345452DACF405AE87EB62EF446857492A1B9053BA2BB3EF43D6339E18DA84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000033765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-635-2022-11-30 13:13:50.175{1060B4B3-42DC-6387-A000-000000009502}24563036C:\Windows\system32\conhost.exe{1060B4B3-570E-6387-9905-000000009502}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL